PAN-OS OS Command Injection Vulnerability Exploited in the Wild (CVE-2024-3400)

Qualys Security Advisory

Attackers are exploiting a command injection vulnerability in Palo Alto Networks PAN-OS software. Tracked as CVE-2024-3400, the vulnerability has been given a critical severity rating and a CVSS score of 10. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code with root privileges on the firewall. The vulnerability exists in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations.

This vulnerability does not impact cloud NGFW, Panorama appliances, and Prisma Access. All other versions of PAN-OS are also not affected.

The advisory states, “Palo Alto Networks is aware of a limited number of attacks that leverage the exploitation of this vulnerability.”

PAN-OS is the operating system for Palo Alto Networks next-generation firewalls (NGFWs) and Panorama. It includes technologies like App-ID, Content-ID, Device-ID, and User-ID, which can collect data about firewall health and configuration and metrics related to threat prevention. PAN-OS also automatically reprograms firewalls with the latest intelligence, ensuring all traffic is free of known and unknown threats.

Affected Versions

The vulnerability affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls with the configurations for both GlobalProtect gateway and device telemetry enabled.


Palo Alto has mentioned in the advisory that the vulnerability will be patched in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3, and all later PAN-OS versions.

Note: The fixes will be released by April 14, 2024.

Please refer to the Pan-OS Security Advisory for more information.


Palo Alto suggests that Threat Prevention subscribers enable Threat ID 95187 (introduced in Applications and Threats content version 8833-8682) to block attacks on this vulnerability.

Customers must also ensure vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their devices.

Qualys Detection

Qualys customers can scan their devices with QID 731378 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.



Leave a Reply

Your email address will not be published. Required fields are marked *