Emergency Security Bulletin | RedLegg | 96Bravo


4/12/24 12:19 PM  |  by RedLegg's Cyber Threat Intelligence Team


RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

Executive Summary

On April 12, 2024, Palo Alto Networks published details related to a vulnerability (CVE-2024-3400) affecting PAN-OS devices running PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 for firewalls with GlobalProtect gateway and telemetry features enabled. CVE-2024-3400 allows for unauthenticated command injection, allowing adversaries to remotely execute arbitrary commands on PAN-OS devices with GlobalProtect and telemetry enabled with root privileges. This vulnerability has been reported by CISA and Volexity to actively being exploited in the wild as early as April 10, 2024. If you believe that you have been affected by attacks leveraging this vulnerability, Palo Alto recommends uploading a technical support file to their Customer Support Portal to identify if you have been affected or not.


Palo Alto PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Identifier: CVE-2024-3400 – CVSS Score 10 (CRITICAL)
Exploit or POC: Yes (Actively Being Exploited)
Update: Palo Alto Networks Security Advisories / CVE-2024-3400

Description: CVE-2024-3400 allows for an unauthenticated user to execute arbitrary code via command injection. Palo Alto Networks has identified a command injection flaw in their GlobalProtect feature of the PAN-OS software. The successful exploitation of this vulnerability could grant an unauthenticated adversary the ability to execute arbitrary code on the impacted firewall using root user privileges.

Mitigation recommendation: Palo Alto has included detailed Workaround and Mitigation recommendations in their Palo Alto Networks Security Advisories / CVE-2024-3400. Palo Alto customers are strongly advised to apply vendor mitigation instructions disclosed above. Palo Alto customers with a Threat Prevention subscription should enable Threat Prevention Threat ID 95187 to block attacks utilizing this vulnerability.

RedLegg Action: None at this time.

Get Blog Updates

Related Articles

Patch Tuesday -  June 2024 Bulletin, Vulnerability Bulletins

Patch Tuesday - June 2024

*Important note: These are not the only vulnerabilities that were recently released; however, these are the ...
Patch Tuesday -  May 2024 Bulletin, Vulnerability Bulletins

Patch Tuesday - May 2024

*Important note: These are not the only vulnerabilities that were recently released; however, these are the ...
Critical Security Vulnerabilities Bulletin