Back to Intelligence

CVE-2024-3400: Palo Alto Networks PAN-OS Zero-Day Exploitation — Detection & Mitigation Guide

SA
Security Arsenal Team
May 6, 2026
6 min read

Introduction

Palo Alto Networks has released an emergency security advisory regarding a critical-severity vulnerability in PAN-OS, the operating system powering their Next-Generation Firewalls (NGFW). Tracked as CVE-2024-3400, this flaw is a command injection vulnerability affecting the GlobalProtect feature specifically when the User-ID authentication portal is enabled.

This is not a theoretical risk. CVE-2024-3400 is currently being exploited in the wild by threat actors to achieve unauthenticated Remote Code Execution (RCE) with root privileges. Given the perimeter position of these devices, a successful compromise allows attackers to pivot into the internal network, intercept traffic, and establish persistent backbones within the enterprise. Defender urgency is critical: if your firewall is vulnerable, it is likely being scanned or targeted now.

Technical Analysis

CVE Identifier: CVE-2024-3400 CVSS Score: 10.0 (Critical) Affected Component: PAN-OS GlobalProtect Gateway / Satellite (User-ID)

The vulnerability stems from improper input validation in the User-ID subsystem of PAN-OS. Specifically, the vulnerability allows an unauthenticated attacker to inject arbitrary operating system commands via specific HTTP requests to the GlobalProtect service. The attack vector does not require valid credentials; it leverages a flaw in how the firewall processes session information.

Affected Products and Versions: Vulnerability is confirmed in the following specific PAN-OS versions and platforms:

  • PAN-OS 10.2: Earlier than 10.2.9-h1
  • PAN-OS 11.0: Earlier than 11.0.4-h1
  • PAN-OS 11.1: Earlier than 11.1.2-h3
  • PAN-OS 11.2: Earlier than 11.2.2-h1

Platforms: PA-Series, VM-Series, and CN-Series firewalls configured with GlobalProtect Gateway or Satellite and User-ID enabled.

Exploitation Status:

  • Active Exploitation: Confirmed. Volexity and other threat intelligence firms have observed activity clusters utilizing this zero-day to install custom Python webshells (e.g., system_hana.py) and reverse shells.
  • CISA KEV: Added to the Known Exploited Vulnerabilities Catalog.

Detection & Response

Detecting this vulnerability requires analyzing web proxy logs or syslog streams from the Palo Alto device. The exploit involves sending crafted HTTP requests to the GlobalProtect service endpoint, often targeting /ssl-vpn/hipcheck.esp or similar paths, injecting commands via HTTP headers or cookies.

SIGMA Rules

The following rules target the specific exploitation mechanics observed in the wild, specifically targeting the hipcheck.esp endpoint and suspicious command injection patterns in HTTP headers.

YAML
---
title: Potential PAN-OS CVE-2024-3400 Exploitation Attempt
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects potential exploitation attempts of CVE-2024-3400 targeting the PAN-OS GlobalProtect hipcheck endpoint with suspicious command injection patterns.
references:
  - https://security.paloaltonetworks.com/CVE-2024-3400
author: Security Arsenal
date: 2024/04/14
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: web
  product: paloalto
detection:
  selection:
  cs-method: 'GET'
  c-uri|contains: '/ssl-vpn/hipcheck.esp'
  filter_main:
    sc-status|startswith: 
      - '404'
      - '403'
  selection_injection:
    c-useragent|contains:
      - ';'
      - '|'
      - '`'
      - 'wget'
      - 'curl'
      - 'chmod'
    c-useragent|startswith: 
      - 'null'
      - '('$
  condition: selection and not filter_main and selection_injection
falsepositives:
  - Legitimate but malformed User-Agent strings (rare)
level: critical
---
title: PAN-OS GlobalProtect Unusual Process Activity
id: b2c3d4e5-6789-01ab-cdef-2345678901bc
status: experimental
description: Detects execution of shell commands via Python processes spawned by the GlobalProtect portal service, indicative of successful exploitation.
references:
  - https://attack.mitre.org/techniques/T1059/006
author: Security Arsenal
date: 2024/04/14
tags:
  - attack.execution
  - attack.t1059.006
logsource:
  category: process_creation
  product: linux
detection:
  selection_parent:
    ParentImage|endswith: '/globalprotectd'
    ParentImage|endswith: '/pan_gp_portal'
  selection_child:
    Image|endswith: 
      - '/python'
      - '/bash'
      - '/sh'
  condition: selection_parent and selection_child
falsepositives:
  - Administrative troubleshooting (rare)
level: high

KQL (Microsoft Sentinel / Defender)

Use the following KQL to hunt for exploitation indicators in your Syslog or CommonSecurityLog streams. This query looks for the specific vulnerable endpoint path and checks for anomalies in the User-Agent or HTTP headers.

KQL — Microsoft Sentinel / Defender
// Hunt for CVE-2024-3400 Exploitation Attempts
let HipCheckEndpoint = "/ssl-vpn/hipcheck.esp";
let SuspiciousCommands = dynamic(["%3B", "%7C", "%60", "wget", "curl", "chmod", "python"]);
CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks"
| where cs-method =~ "GET"
| where cs-uri has HipCheckEndpoint
| extend ParsedUA = parse_url(cs-user-Agent)
| where cs-user-Agent has_any(SuspiciousCommands) 
   or cs-user-Agent == "null"
   or cs-user-Agent startswith "("
| project TimeGenerated, DeviceName, SourceIP, DestinationIP, cs-uri, cs-user-Agent, DeviceAction, sc-status
| order by TimeGenerated desc

Velociraptor VQL

If you are performing DFIR on a Linux-based system that acts as a log aggregator or if you are analyzing a compromised VM-Series firewall directly (where you have shell access), use this VQL artifact to hunt for the specific webshell artifacts or malicious processes often associated with this campaign.

VQL — Velociraptor
-- Hunt for PAN-OS Exploitation Artifacts and Webshells
-- Checks for the known backdoor 'system_hana' or suspicious python processes
SELECT 
  Pid, 
  Name, 
  CommandLine, 
  Exe, 
  Username 
FROM pslist()
WHERE Name =~ "python" 
   AND CommandLine =~ "system_hana"
   OR Name =~ "globalprotect"
   AND CommandLine =~ "wget|curl|chmod"

-- Additionally, hunt for the specific webshell file on disk
SELECT FullPath, Size, Mtime, Atime
FROM glob(globs="/tmp/*", "/var/tmp/*")
WHERE FullPath =~ "system_hana"
   OR FullPath =~ "\.py$"

Remediation Script (Bash)

IMPORTANT: The most effective immediate mitigation is to disable the User-ID feature on the GlobalProtect interface until patches can be applied. The following Bash script uses the Palo Alto Networks API to disable the User-ID service configuration. You must have an API key with sufficient permissions.

Bash / Shell
#!/bin/bash

# MITIGATION SCRIPT: Disable User-ID for GlobalProtect to mitigate CVE-2024-3400
# Usage: ./mitigate_pan_cve-2024-3400.sh <FIREWALL_IP> <API_KEY>

FW_IP="$1"
API_KEY="$2"

if [ -z "$FW_IP" ] || [ -z "$API_KEY" ]; then
  echo "Usage: $0 <FIREWALL_IP> <API_KEY>"
  exit 1
fi

echo "[*] Connecting to PAN-OS device at $FW_IP..."

# 1. Get the Configuration to identify User-ID rules (Simplified for mitigation)
# In a real scenario, you would parse the config to find specific User-ID mappings.
# This script assumes an operational need to disable the service globally or on the interface.

# 2. Disable the GlobalProtect User-ID via API (Conceptual Type/Key modification)
# This is a representative API call. The exact XPATH depends on your specific configuration structure.
# Target: User-ID agent configuration or GlobalProtect portal config.

API_URL="https://${FW_IP}/api/?type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/user-id/enable&element=<value>off</value>&key=${API_KEY}"

echo "[*] Sending mitigation command to disable User-ID..."

# Execute the cURL command (insecure flag used for self-signed certs common on PAN devices)
response=$(curl -k -s "$API_URL")

echo "[*] API Response:"
echo "$response"

echo "[*] Verification: Please commit the changes via the Management UI or API."
echo "[*] Immediate mitigation applied: User-ID disabled."

Remediation

1. Patch Immediately: Apply the hotfixes released by Palo Alto Networks. Do not wait for the next minor release.

  • PAN-OS 10.2: Upgrade to 10.2.9-h1 or later.
  • PAN-OS 11.0: Upgrade to 11.0.4-h1 or later.
  • PAN-OS 11.1: Upgrade to 11.1.2-h3 or later.
  • PAN-OS 11.2: Upgrade to 11.2.2-h1 or later.

2. Mitigation (If patching is delayed): Disabling the User-ID feature on the GlobalProtect Gateway or Satellite interface breaks the attack chain. Navigate to Device > User Identification > GlobalProtect and disable the User-ID agent, or remove the User-ID configuration from the GlobalProtect Gateway/Satellite setup. This is a temporary stopgap until the patch is applied.

3. Threat Hunt: Assume compromise if your logs show suspicious activity towards the /ssl-vpn/hipcheck.esp endpoint prior to patching. Look for the system_hana.py webshell or unauthorized outbound connections originating from the firewall's management interface.

Official Advisory: Palo Alto Networks Security Advisory CVE-2024-3400

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosurepalo-alto-networkscve-2024-3400pan-os

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action