CRITICAL 10.0CISA KEV — Actively ExploitedKnown ransomware use

CVE-2024-3400: Critical PAN-OS GlobalProtect RCE Vulnerability

CVE-2024-3400 is a critical vulnerability in Palo Alto Networks PAN-OS that allows unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls. The flaw exists in the GlobalProtect feature and stems from a combination of arbitrary file creation and command injection issues. An attacker on the network can exploit this without authentication or user interaction, gaining complete control over the firewall—a catastrophic outcome for any organization relying on that appliance as a security boundary.

Source data · NVD / CISA · public domain

CVSS
3.1 · 10.0 CRITICAL · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Weaknesses (CWE)
CWE-20, CWE-77
Affected products
52 configuration(s)
Published / Modified
2024-04-12 / 2026-06-17
KEV due date
2024-04-19 (added 2024-04-12)

NVD description (verbatim)

A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

9 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability arises from improper input validation (CWE-20) and command injection (CWE-77) in PAN-OS GlobalProtect, enabling unauthenticated remote code execution with root privileges. The attack vector is network-based, requires no privileges or user interaction, and impacts the system's integrity, confidentiality, and availability without scope restrictions. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) reflects the severity: network-accessible, low attack complexity, and cross-boundary impact. The vulnerability affects specific PAN-OS versions and configurations; Cloud NGFW, Panorama, and Prisma Access are unaffected.

Business impact

Compromise of a PAN-OS firewall running GlobalProtect represents a total loss of perimeter security. An attacker gains root access to the device itself, permitting traffic interception, sensitive data exfiltration, malware injection into internal networks, and denial of service. Depending on firewall placement and configuration, a single compromised appliance can become a pivot point for lateral movement into critical infrastructure. The CISA KEV listing and documented ransomware activity indicate active exploitation in the wild, elevating urgency beyond theoretical risk.

Affected systems

Palo Alto Networks PAN-OS is vulnerable when running specific versions with GlobalProtect enabled and certain feature configurations active. Cloud NGFW deployments, Panorama management appliances, and Prisma Access are explicitly not affected. Organizations must verify their PAN-OS version and GlobalProtect deployment model against Palo Alto's security advisory to determine exposure.

Exploitability

This vulnerability is exploitable by any network-connected attacker without requiring credentials or social engineering. The low attack complexity and absence of user interaction requirements mean exploitation is straightforward and automated. CISA's inclusion on the Known Exploited Vulnerabilities catalog with a ransomware association confirms active, weaponized exploitation. The threat is immediate and likely already being targeted in the wild.

Remediation

Organizations must apply security patches released by Palo Alto Networks as soon as feasible. Patch availability and specific version numbers vary; consult Palo Alto's official security advisory for applicable updates to your PAN-OS installations. Interim mitigation may include network segmentation to limit attacker access to GlobalProtect endpoints, though patching remains the definitive fix. Given the CISA KEV due date and active exploitation, patch deployment should be treated as emergency-priority work.

Patch guidance

Contact Palo Alto Networks or consult their security advisory (published April 12, 2024) for the specific patch versions addressing CVE-2024-3400 in your PAN-OS deployment. Patches are likely available for multiple PAN-OS major versions; verify compatibility before deployment. Prioritize lab validation in test environments first, then stage rollout to production systems to minimize operational disruption. Given the criticality, expedited change management and thorough testing are justified.

Detection guidance

Monitor firewall access logs and GlobalProtect session activity for unusual connection patterns, especially unauthenticated requests to GlobalProtect endpoints. Look for anomalous file creation or command execution on the firewall appliance itself—particularly writes to unexpected directories and process execution by privileged system services. Endpoint detection and response (EDR) agents on systems behind the firewall may observe suspicious lateral movement if the device is compromised. Network intrusion detection systems should be tuned to flag known exploitation signatures for this CVE.

Why prioritize this

CVE-2024-3400 demands immediate remediation for three reasons: (1) CVSS 10 criticality with unauthenticated remote code execution as root, (2) confirmed active exploitation documented in CISA's KEV catalog with ransomware associations, and (3) the firewall's role as a critical security boundary—compromise is equivalent to removing your perimeter defenses entirely. Any organization running vulnerable PAN-OS versions with GlobalProtect should treat this as a security emergency.

Risk score, explained

The CVSS 3.1 score of 10 reflects maximum severity: network accessibility (AV:N), minimal attack complexity (AC:L), no authentication requirement (PR:N), no user interaction (UI:N), system-wide scope (S:C), and complete compromise of confidentiality, integrity, and availability (C:H/I:H/A:H). The presence on CISA's KEV list and documented ransomware use further elevates real-world risk beyond theoretical bounds. This is among the most severe vulnerability classes: unauthenticated remote code execution on infrastructure.

Frequently asked questions

Does this affect our Cloud NGFW or Panorama deployments?

No. Palo Alto Networks explicitly states that Cloud NGFW, Panorama appliances, and Prisma Access are not impacted. The vulnerability is specific to on-premises PAN-OS firewalls with GlobalProtect enabled in certain configurations.

What if we don't use GlobalProtect on our firewalls?

The vulnerability requires GlobalProtect to be active. If your firewalls do not have GlobalProtect configured or enabled, they are not at risk from this specific CVE. However, verify your configuration against the vendor advisory to be certain.

Is there an interim workaround if we can't patch immediately?

Network segmentation and access controls can reduce exposure—restricting which systems can reach GlobalProtect endpoints. However, these are temporary measures only. Patching is essential and should proceed as urgently as possible given active exploitation.

How do we know if our firewall has been compromised?

Look for unauthorized file creation, unexpected processes running with elevated privileges, unusual log entries, or suspicious outbound connections from the firewall. Engage your incident response team or a forensics partner if compromise is suspected.

This analysis is provided for informational purposes and does not constitute legal, compliance, or vendor-specific technical advice. Verify all patch availability, affected version ranges, and compatibility with Palo Alto Networks' official security advisory before deployment. Organizations should engage with their Palo Alto Networks support team or qualified security consultants for deployment guidance specific to their environment. SEC.co does not assume liability for patch validation, testing, or deployment outcomes. Source: NVD (public-domain), retrieved 2026-07-06. Analysis generated by SEC.co (claude-haiku-4-5).

Preview — this page is review (quality 1). high-value: hold for review.