IRONSMITHINTEL
CRITICALCVSS10.0
|
Actively Exploited
|CISA KEV|CVE-2024-3400|Auth: none — unauthenticated|Reboot: required|Est. 1 hour including firewall restart|Manual only

Palo Alto PAN-OS < 10.2.9-h1 — RCE

A command injection in PAN-OS GlobalProtect allows unauthenticated remote code execution as root. Apply the PAN-OS hotfix for your branch immediately — actively exploited as a zero-day by Volt Typhoon and UTA0218 to deploy Upstyle backdoors.

Published Apr 12, 2024 · Updated May 15, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An unauthenticated attacker achieves root-level remote code execution on the Palo Alto firewall itself — the device that is supposed to protect the network. This gives full control of network traffic, VPN credentials, firewall rules, and a privileged position for lateral movement into the internal network. All VPN users' credentials may be captured.

How the attack worksNo clicks needed

The GlobalProtect VPN gateway in PAN-OS contains a command injection vulnerability in the telemetry feature. An unauthenticated attacker who can reach the GlobalProtect portal (typically internet-accessible) can inject shell commands that execute as root on the firewall. Device telemetry must be enabled for exploitation (it is enabled by default on many configurations).

📧

Phishing link

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

Network Security Team
Firewall Administrators
IT Security
Running PAN-OS 10.2.x < 10.2.9-h1, PAN-OS 11.0.x < 11.0.4-h1, PAN-OS 11.1.x < 11.1.2-h3
Fixed inPAN-OS 10.2.9-h1 / 11.0.4-h1 / 11.1.2-h3
Real-world incidentsWhat we've seen

Volexity discovered active exploitation in April 2024 by threat actor UTA0218 (believed to be a nation-state actor). The attackers deployed a Python-based backdoor called Upstyle and used the firewall as a pivot point for internal network reconnaissance. CISA added CVE-2024-3400 to KEV and issued an emergency alert. Palo Alto released hotfixes within 24 hours of public disclosure.

How to patch

Manual remediation steps

1 hour including firewall restart

Check PAN-OS Version

From the firewall CLI:

show system info | match version

Immediate Mitigation (if patching delayed)

# Disable device telemetry (removes the exploited condition)
# In Panorama or device CLI:
set deviceconfig system telemetry-level off
commit
# Verify:
show system telemetry-level

Check for Indicators of Compromise

# Look for suspicious files created by the exploit
find /opt/pancommunity/tmp -name "*.py" -newer /var/log/pan/gpsvc.log
find /var/log -name "gpsvc.log*" -exec grep -l "SESSID" {} \;

Apply the Hotfix

1
Download the appropriate hotfix from https://security.paloaltonetworks.com
    1
    PAN-OS 10.2: upgrade to 10.2.9-h1
    1
    PAN-OS 11.0: upgrade to 11.0.4-h1
    1
    PAN-OS 11.1: upgrade to 11.1.2-h3
2
Upload the image via Panorama or the device web UI
3
Install and commit the update
4
Verify with: show system info | match version

Re-enable Telemetry After Patching

set deviceconfig system telemetry-level enhanced
commit
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2024-3400NVD