Skip to content
feed: live about
>_ 0dayNews
palo alto networks
Explainer

PAN-OS GlobalProtect Zero-Day Gave Attackers Root on the Firewall Itself

CVE-2024-3400, a maximum-severity command-injection flaw in Palo Alto Networks' PAN-OS GlobalProtect feature, was exploited in the wild before a patch existed — handing attackers root access to the perimeter firewall.

PAN-OS GlobalProtect Zero-Day Gave Attackers Root on the Firewall Itself
Photo: Michael Jastremski / Wikimedia Commons · CC BY-SA 2.0
0day News Desk · Published · 2 min read

A firewall is supposed to be the wall. When the wall itself has a remotely exploitable, unauthenticated, root-level code-execution flaw, the entire premise of perimeter defense breaks down — which is exactly the scenario CVE-2024-3400 created for Palo Alto Networks customers in April 2024.

What the flaw allowed

CVE-2024-3400 is a command-injection vulnerability in the GlobalProtect feature of PAN-OS, the operating system running on Palo Alto Networks’ next-generation firewalls. On specific PAN-OS versions with a GlobalProtect gateway or portal configured — and device telemetry or session ID re-use enabled — an unauthenticated, remote attacker could execute arbitrary code with root privileges directly on the firewall. It carries the maximum CVSS score of 10.0.

Root code execution on a firewall isn’t just “another RCE.” It means an attacker controls the very device that’s supposed to be inspecting and blocking malicious traffic — with the ability to disable logging, modify rules, pivot into the internal network, and persist across reboots.

Active exploitation before disclosure

Palo Alto Networks and Volexity jointly disclosed the vulnerability on April 12, 2024, confirming it was being exploited in the wild as a zero-day. Volexity attributed the activity to a threat actor it tracks as UTA0218, which deployed a custom Python-based backdoor — dubbed UPSTYLE — on compromised firewalls to maintain access and pull additional tooling onto the device post-compromise.

CVE-2024-3400 was added to CISA’s KEV catalog within days of disclosure, with federal agencies required to apply mitigations or patches on an expedited timeline.

The response

Palo Alto Networks moved quickly, publishing both temporary mitigation steps — for customers who could not immediately patch — and hotfixes across the affected PAN-OS version branches. The company also released a tool to help customers determine whether a given firewall showed signs of compromise, since (as with several other zero-days on this tracker) patching alone does not undo an established backdoor on an already-compromised device.

Why it mattered

Perimeter security devices — firewalls, VPN gateways, secure web gateways — have increasingly become the entry point of choice for sophisticated attackers precisely because they’re internet-facing by design and historically under-monitored relative to standard endpoints. A root-RCE zero-day in a market-leading firewall product is about as severe an instance of that pattern as exists.

Full advisory detail, affected configurations, and patch guidance are published by Palo Alto Networks and reflected in the NVD record above.

This article describes the vulnerability and its real-world impact only — it does not include exploit code or step-by-step attack instructions.

Found this useful? Share it.