Home / Threat Intelligence bulletins / Critical command injection vulnerability in PAN-OS GlobalProtect Gateway

Target Industry

IT and cyber security.


A critical command injection vulnerability has been identified in the GlobalProtect gateway feature of Palo Alto Networks’ PAN-OS software. This flaw, tracked as CVE-2024-3400 (CVSSv3 score 10.0), allows unauthenticated attackers to execute arbitrary code with root privileges on affected devices.


The vulnerability has a maximum severity score of 10.0 and poses a significant risk to organisations using the affected versions of PAN-OS. The exploit does not require user interaction and can be triggered remotely, making it especially dangerous and likely to be leveraged in cyber-attacks.

Affected Products

  • PAN-OS 10.2 versions before 10.2.9-h1
  • PAN-OS 11.0 versions before 11.0.4-h1
  • PAN-OS 11.1 versions before 11.1.2-h3

Containment, Mitigations & Remediations

Immediate actions recommended include:

  • Enabling Threat ID 95187 in Palo Alto Networks’ Threat Prevention service, which blocks attempts to exploit this vulnerability
  • Applying vulnerability protection to GlobalProtect interfaces as detailed in Palo Alto Networks’ guidance
  • Disabling device telemetry until the firewall can be updated to a patched version.
  • Planned software updates to address this vulnerability are expected to be released by 14th April 2024.

Threat Landscape

The vulnerability is being actively exploited in the wild, with attackers leveraging it to gain unauthorised access and control over impacted systems. The nature of the attacks indicates the exploitation of this vulnerability could be part of targeted cyber espionage or broader malicious campaigns.

Threat Group

While specific threat actors have not been publicly named in relation to the current exploitation of this vulnerability, the critical nature and high potential for exploitation make it a prime target for advanced persistent threat (APT) groups and cybercriminals focused on high-value corporate espionage or broad-scale disruptive attacks.

Additional Reading 

CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway 

Zero-Day Alert: Critical Palo Alto Networks PAN-OS Flaw Under Active Attack