PAN-OS GlobalProtect command injection lets attackers run as root

CVE-2024-3400 is a command-injection vulnerability in the GlobalProtect feature of Palo Alto Networks' PAN-OS. In affected configurations it allows an unauthenticated attacker to execute arbitrary code with root privileges on the firewall — a maximum-severity CVSS 10.0 issue per the NVD entry.

Why it matters for your perimeter

This one was exploited in the wild as a zero-day before a fix was available, and CISA added it to its Known Exploited Vulnerabilities (KEV) catalog. Root on the firewall is about the worst outcome on a perimeter device: an attacker can pivot into the internal network, intercept traffic, and persist. Because GlobalProtect gateways are internet-facing by design, exposed devices were reachable by anyone.

Who's affected and what to do

Specific PAN-OS versions running GlobalProtect gateway/portal with certain features enabled are affected; Palo Alto's advisory lists the exact versions and fixed releases. The response is to apply the fixed PAN-OS release, apply vendor-recommended mitigations in the interim, and — critically — hunt for compromise, since this was exploited before patches existed. Review GlobalProtect logs and look for indicators published by Palo Alto and incident responders.

Not sure if your Palo Alto gateway is internet-reachable or running an affected configuration? An external firewall pentest fingerprints the device and checks it against known CVEs in minutes.