May 8, 2024 HAWKEYE

CVE-2024-3400: Palo Alto PAN-OS Command Injection Vulnerability

Palo Alto Networks discovered a significant vulnerability in PAN-OS software used in security appliances such as next-generation firewalls on April 12th, 2024.


CVE-2024-3400 is a critical command injection vulnerability. The vulnerability allows attackers to remotely execute root-privileged commands in Palo Alto firewalls. Given the potential consequences, companies ought to patch their vulnerable PAN-OS software as soon as feasible.

In this blog, we discussed how the Palo Alto PAN-OS CVE-2024-3400 vulnerability works and how organizations may defend against it.

CVE-2024-3400 Details:

Via the payload being sent into an HTTP cookie, this vulnerability permits writing an arbitrary named file to the underlying filesystem. This payload is then written as the filename using directory traversal at a controlled location, where the file will be processed by a cron job that will execute a script connected to telemetry that has a vulnerability to command injection. This permits root-level out-of-band remote code execution. To be clear, the name of the aforementioned file contains the Bash command that needs to be run, not its contents.

The “SESSID” cookie value, which generates a new file as root for each session, is the source of the vulnerability. Since then, code can be executed by utilizing bash operations.

A study of this vulnerability was carried out using a newly released proof of concept (POC). You might consider the requests and accompanying responses below if you are using the vulnerable product version or if you wish to test the vulnerability yourself. The SESSID listed below has been the main target of testing and demonstrations for the OS Command Injection vulnerability.

Step 1: Creation of a file on the server with root access:

creation of file with root access

The file is created on the server

Step 2: Check for the presence of the created file:

GET request for fetching file

GET request for fetching the file

Response for GET request

Response for the GET request

This should result in a 403 error rather than a 404 error when you try to access the files. Should the system be secure, a 404 Not Found result is anticipated for this step.

Step 3: Command injection:

Command Injection

Command injection

The CVE-2024-3400 has been provided with a critical severity rating of 10.0. The following two weaknesses make this CVE highly severe:

  • CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
  • CWE-20: Improper Input Validation.

Affected Versions:

The affected version of PAN-OS by CVE-2024-3400 are:

Product Affected Version Fixed Version
PAN-OS 11.1 Versions prior to 11.1.2-h3 11.1.2-h3
PAN-OS 11.0 Versions prior to 11.0.4-h1 11.0.4-h1
PAN-OS 10.2 Versions prior to 10.2.9-h1 10.2.9-h1

This vulnerability only affects versions 10.2, 11.0, and 11.1 that are set up with GlobalProtect Gateway or GlobalProtect Portal. In contrast, Prisma Access, Panorama appliances, and the Cloud NGFW remain unaffected.


Leading cybersecurity solutions Pan-OS and GlobalProtect are extensively used by many enterprises across the globe. Recent research focused on Pan-OS and GlobalProtect revealed that over 34,000 endpoints might be accessed externally on their own. It is noteworthy that GlobalProtect might have a distinct user base, possibly distinct from Pan-OS’s.

Top countries GlobalProtect and Pan-OS

Public Exploitation:

Volexity found that a threat actor identified as UTA0218 was exploiting the CVE-2024-3400 vulnerability in the wild. The vulnerability was used by adversaries to install UPSTYLE, a Python-based backdoor, which allowed them to get continuous access to the target organizations.

UPSTYLE backdoor attack flow

UPSTYLE backdoor attack flow (Source: Veloxity)

Detecting CVE-2024-3400:

Palo Alto Networks has acknowledged that threat actors are taking advantage of this specific vulnerability. They have acknowledged Volexity for finding the vulnerability in a recent report. The number of organizations under serious and immediate risk from this exploitation is rising. Additionally, the vulnerability’s proof of concept has been made public by third parties.

To detect this vulnerability, the following command shall be run on the command-line interface of PAN-OS device:

grep pattern “failed to unmarshal session(.\+.\/” mp-log gpsvc.log*

This command looks through device logs for specific entries related to vulnerability.

The existence of such entries in your logs may indicate the possibility of a device exploitation attempt, which could look like this:

failed to unmarshal session(../../some/path)

A normal, harmless log entry would look like this:

failed to unmarshal session(01234567-89ab-cdef-1234-567890abcdef)




  • Software releases PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and all higher versions are now unaffected by this vulnerability. Your systems will be completely protected against potential exploitation if you update your software to these versions.
  • Hotfixes for frequently used maintenance releases of PAN-OS 10.2, 11.0, and 11.1 have been made available by Palo Alto Networks for users who are unable to update to the most recent versions right away. While you get ready for the complete update, these hotfixes do offer a temporary fix.
  • To prevent attacks that target the CVE-2024-3400 vulnerability, enable Threat IDs 95187, 95189, and 95191 if you have a Threat Prevention subscription that is active. Versions 8836-8695 and later of the Applications and Threats content have these Threat IDs.




We welcome you to contact us for more information
about HAWKEYE - SOC As A Service.