On April 12, 2024, Palo Alto Networks published an advisory for CVE-2024-3400, a critical command injection vulnerability (CVSS 10.0) in the GlobalProtect feature of PAN-OS, the operating system running on all Palo Alto Networks firewalls. The vulnerability was already being exploited in the wild as a zero-day, and the initial exploitation was attributed to a state-sponsored threat actor tracked by Volexity as UTA0218.
The Vulnerability
CVE-2024-3400 is a command injection vulnerability in the GlobalProtect portal and gateway features of PAN-OS. Specifically, the flaw existed in how the SESSID cookie value was processed by the GlobalProtect service. An unauthenticated attacker could send a specially crafted request to a vulnerable GlobalProtect endpoint, injecting operating system commands that would execute with root privileges on the firewall.
The affected versions were PAN-OS 10.2, 11.0, and 11.1 when both GlobalProtect gateway and device telemetry were enabled. The prerequisite of having device telemetry enabled limited the attack surface somewhat, but this feature is enabled by default in many deployments, particularly those using Cortex Data Lake or other Palo Alto analytics services.
The exploitation was straightforward for a skilled attacker. A single HTTP request to the GlobalProtect endpoint with a malicious SESSID cookie value could achieve command execution. No authentication was required. No user interaction was needed. The attacker just needed network access to the GlobalProtect portal or gateway, which by design is exposed to the internet.
Exploitation in the Wild
Volexity detected the exploitation on April 10, 2024, during an incident response engagement. They observed a threat actor exploiting the zero-day to gain initial access to a Palo Alto firewall, after which the attacker:
- Established a reverse shell from the firewall to attacker-controlled infrastructure
- Downloaded additional tools onto the firewall
- Extracted the firewall's running configuration, which contained credentials and network information
- Used the firewall as a pivot point to move laterally into the victim's internal network
- Deployed a custom Python-based backdoor (dubbed UPSTYLE by Volexity) on the firewall for persistent access
The UPSTYLE backdoor was designed to blend into the PAN-OS environment. It monitored the firewall's web server access logs for specially formatted requests containing commands, executed those commands, and wrote the output to a CSS file that the attacker could retrieve through another web request. This approach was stealthy because it used legitimate web server files and did not create additional network connections.
The Patch Timeline
Palo Alto's response to CVE-2024-3400 was complicated by the severity and active exploitation:
April 12: Advisory published with no patch available. Palo Alto recommended disabling device telemetry as a mitigation.
April 14: Palo Alto released hotfix patches for PAN-OS 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3.
April 15: Palo Alto updated their advisory to clarify that the initial mitigation (disabling telemetry) was not sufficient and that the Threat Prevention signature they released was also necessary.
April 16-18: Additional hotfix patches were released for other PAN-OS versions.
The two-day gap between disclosure and patch availability left organizations in a difficult position. They could disable device telemetry (reducing visibility into their own network) or accept the risk while waiting for patches. For firewalls that were the primary internet-facing security appliance, neither option was appealing.
The Broader Pattern
CVE-2024-3400 continued a disturbing trend of critical zero-days in network perimeter devices. In the preceding months:
- Ivanti Connect Secure had been hit with CVE-2024-21887 and CVE-2023-46805 (January 2024)
- Citrix NetScaler had suffered CVE-2023-4966 "Citrix Bleed" (late 2023)
- Fortinet had dealt with multiple critical FortiOS vulnerabilities throughout 2023
The pattern is consistent: state-sponsored threat actors are systematically identifying and exploiting zero-days in the network appliances that organizations deploy to protect their perimeters. These devices are attractive targets because they are internet-facing, handle authentication, have deep network access, and often lack the endpoint security tooling that would detect post-exploitation activity on a standard server or workstation.
The irony is acute. The devices organizations deploy to secure their networks are becoming the primary vector through which those networks are compromised. This does not mean firewalls are useless. It means that firewalls, like all software, have vulnerabilities, and the security model that treats them as trusted bastions rather than potentially compromised endpoints needs to evolve.
Recommendations
Organizations running Palo Alto firewalls should patch immediately if they have not already. Beyond patching, security teams should:
Check whether their firewalls were vulnerable during the exploitation window (April 10-14 or until patching). If they were, conduct a thorough investigation including reviewing firewall logs for suspicious SESSID values, checking for unauthorized configuration changes, and looking for indicators of the UPSTYLE backdoor.
Implement network segmentation that limits what an attacker can reach even if they compromise a perimeter firewall. If your firewall can directly access your Active Directory domain controllers, database servers, and crown jewel applications, you have a single point of failure.
Monitor outbound connections from network appliances. Firewalls should not be initiating connections to unknown external hosts. Detecting the reverse shell that attackers establish after exploitation is often the best chance at early detection.
How Safeguard.sh Helps
Safeguard.sh tracks vulnerabilities across your entire infrastructure, including network appliances like Palo Alto firewalls. When critical zero-days like CVE-2024-3400 are published, Safeguard.sh immediately identifies affected devices in your inventory and prioritizes them for remediation. Our policy gate system can enforce patch compliance requirements, ensuring that critical vulnerabilities are addressed within your defined SLA windows. For organizations managing dozens or hundreds of firewalls across multiple locations, the ability to instantly assess exposure across the entire fleet is the difference between a coordinated response and a scramble.