Skip to content

CVSS Score 10 Critical Palo Alto Pan-OS Code Execution Vulnerability CVE-2024-3400



The CVE-2024-3400 is a command injection vulnerability in Palo Alto’s PAN-OS specifically in the GlobalProtect feature, an unauthenticated attacker can execute arbitrary code leading to full compromise.

Vulnerable Versions

The vulnerable versions are PAN-OS 10.2, 11.0, and 11.1


The vulnerability is observed to be exploited since March. 2024 as per CISA, making the score of this vulnerability a critical 10.

Threat actor dubbed UTA0218 is observed deploying python backdoor using this vulnerability where they remotely exploit the firewall to create a reverse shell, download tools, pivot into internal networks and exfiltrate data.

Vulnerability Details

As per the CVE-2024-3400, the threat actor forges specially crafted network requests to a non-existent web page containing a specific pattern. The backdoor then parses the log file and searches for the line matching the same regular expression (“img\[([a-zA-Z0-9+/=]+)\]”) to decode and run the command within it.

15,000+ Assets are susceptible to PAN-OS Attack

As per FireCompass platform, 15k staggering numbers of PAN-OS instances are in the wild making it a potential target for threat actors.

Public POCs

As of writing this blog, there is only one repository claiming to have a working POC