Palo Alto Networks PAN-OS GlobalProtect Command Injection Zero-Day
A command-injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS allows an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Exploited in the wild as a zero-day before a patch was available.
- Vendor
- Palo Alto Networks
- Product
- PAN-OS (GlobalProtect gateway/portal)
- CVSS
- 10.0
- Status
- kev
- Published
CVE-2024-3400 is a maximum-severity command-injection vulnerability in the GlobalProtect feature of Palo Alto Networks’ PAN-OS, the operating system for its next-generation firewalls. Specific PAN-OS versions with GlobalProtect gateway or portal configured, and device telemetry or session ID re-use feature enabled, allowed an unauthenticated attacker to execute arbitrary code with root privileges directly on the firewall.
Palo Alto Networks and Volexity disclosed on April 12, 2024 that the flaw was being exploited in the wild as a zero-day by a threat actor tracked as UTA0218, which deployed a custom Python-based backdoor dubbed UPSTYLE on compromised firewalls to maintain persistent access.
Why it mattered
A root-level remote-code-execution flaw in the firewall itself — the device meant to be the perimeter defense — is about as severe as a network vulnerability gets. CISA added the CVE to its KEV catalog within days, and Palo Alto Networks published both hotfixes and temporary mitigation steps for customers who could not immediately patch.
Full advisory, affected version ranges, and IoCs are published by Palo Alto Networks; the canonical CVE record is linked above via NVD.
