CVE-2024-3400

Overview

CVE-2024-3400 is a CVSS 10.0 command injection vulnerability in Palo Alto Networks PAN-OS, exploitable via the GlobalProtect Gateway or GlobalProtect Portal feature. An unauthenticated attacker can chain two bugs — an arbitrary file creation vulnerability and a command injection triggered by a cron job — to execute arbitrary OS commands as root on the firewall. The vulnerability was exploited as a zero-day by threat actor UTA0218 (assessed by Unit 42 as likely a Chinese state-sponsored group) beginning at least 17 days before the patch was released.

The 7-day CISA remediation deadline and CVSS 10.0 score reflect the severity of an internet-facing network security appliance — a next-generation firewall — being fully compromised by an unauthenticated attacker with no user interaction required.

What Is PAN-OS GlobalProtect?

PAN-OS is the operating system running Palo Alto Networks next-generation firewalls and Panorama management appliances. The GlobalProtect feature provides SSL VPN and zero-trust network access for remote users, exposing a gateway and/or portal endpoint on the internet. Organizations deploy GlobalProtect as their primary remote access VPN — making the firewall appliance itself a high-value target that, if compromised, provides a privileged network position to observe and intercept all traffic passing through the firewall.

Affected Versions

The vulnerability requires GlobalProtect gateway or GlobalProtect portal to be configured on the device and device telemetry to be enabled (enabled by default). Devices without GlobalProtect configured are not affected.

Technical Details

Root Cause: Two Vulnerabilities Chained for RCE

CVE-2024-3400 is the result of two separate bugs working together:

Bug 1 — Arbitrary File Creation via SESSID Cookie: The GlobalProtect gateway processes session cookies from unauthenticated requests. The SESSID cookie value is used as part of a filename for temporary session files written to disk. The value is not sufficiently sanitized — an attacker can embed path traversal characters or shell metacharacters in the SESSID value, causing PAN-OS to create a file at an attacker-controlled path with attacker-controlled content.

Bug 2 — Command Injection via Cron Job: PAN-OS runs a periodic cron job (related to telemetry or session management) that processes files in the session file directory. When it encounters files whose names contain shell metacharacters — specifically from the SESSID values written by Bug 1 — the cron job's shell invocation treats those characters as commands, executing attacker-supplied OS commands.

Combined: the attacker sends a crafted HTTP request with a malicious SESSID cookie → PAN-OS creates a file with the malicious content/name → the cron job executes → attacker commands run as root.

UPSTYLE Backdoor

UTA0218's post-exploitation tooling included a Python-based backdoor named UPSTYLE, which:

• Patches legitimate PAN-OS Python files to add a hidden backdoor
• Listens for specially crafted network packets to trigger command execution
• Extracts and executes commands from the User-Agent header of HTTPS requests to the firewall
• Designed to blend into normal PAN-OS process activity

Additional tools deployed included TUNNELCRACK, MURKYTOP, and network tunneling utilities for lateral movement into victim networks.

Attack Characteristics

Discovery

Volexity discovered active exploitation of CVE-2024-3400 on March 26, 2024 while responding to a customer incident. They observed UTA0218 exploiting the GlobalProtect feature to create an interactive reverse shell, deploy the UPSTYLE backdoor, and exfiltrate data. Volexity reported the vulnerability to Palo Alto Networks on April 10, 2024; Palo Alto issued a public advisory on April 12 and released patches on April 14.

Palo Alto Networks Unit 42 assessed UTA0218 as likely a Chinese state-sponsored threat actor based on tooling, tradecraft, and targeting patterns — consistent with groups that routinely target network edge devices for persistent, hard-to-detect access.

Exploitation Context

• 17-day zero-day window: Exploitation confirmed from March 26; patch released April 14
• Targeting: UTA0218 focused on espionage — stealing VPN credentials, internal Active Directory data, and sensitive files from compromised organizations
• Scale: Approximately 82,000 PAN-OS devices were estimated to have GlobalProtect exposed to the internet at time of disclosure
• Subsequent exploitation: After public disclosure and PoC availability, exploitation expanded beyond UTA0218 to opportunistic attackers and ransomware operators
• 7-day CISA deadline: The April 19 deadline (7 days after disclosure) was among the shortest ever imposed by CISA, reflecting the combination of CVSS 10.0, active nation-state exploitation, and the privileged network position of firewall appliances

Remediation

Recommended Actions

1. Apply the PAN-OS hotfix for your version (see table above). Verify: show system info | match version.

2. Interim mitigations (if patching is delayed):

   • Disable device telemetry: Device > Setup > Telemetry — uncheck "Enable Telemetry". This breaks the cron job component of the exploit chain.
   • Enable Threat Prevention and activate Threat IDs 95187, 95189, 95191 (released by Palo Alto to block exploitation attempts).

3. Check for UPSTYLE and compromise indicators:

   • Check for unexpected Python file modifications: find /usr/lib/python3* -newer /etc/passwd -name "*.py"
   • Review GlobalProtect logs for unusual SESSID values or path traversal patterns
   • Check for unexpected processes or network connections from the firewall OS
   • Palo Alto Unit 42 published detailed IOCs; review the Unit 42 threat brief

4. Restrict GlobalProtect management access — firewall management interfaces (web UI, SSH) should be on a dedicated management network, not accessible from the internet.

5. Incident response: If compromise is suspected, treat the firewall as fully compromised — assume all traffic it processed may have been observed, all VPN credentials may be stolen, and all firewall rules/configuration may be known to the attacker.