• Language chooser
    • USA (English)
    • France (Français)

virus logo Outbreak Alert

PAN-OS GlobalProtect Command Injection Vulnerability

Released: Apr 12, 2024

Updated: Apr 26, 2024

Download PDF »

PAN-OS GlobalProtect Attack

Critical Severity

Palo Alto Vendor

Attack Type

Watch Video

An actively exploited critical vulnerability in the PAN-OS Global Protect

The attack on PAN-OS GlobalProtect devices identified as CVE-2024-3400 allows a malicious actor to remotely exploit an unauthenticated command injection vulnerability that leads to remote code execution. Once established, the attacker can further collect configurations, deliver malware payloads and move laterally and internally. Learn More »

Common Vulnerabilities and Exposures

CVE-2024-3400

Background

The GlobalProtect Gateway provides security solution for roaming users by extending the same next-generation firewall-based policies.

Threat Radar Overall Score: -
CVSS Rating 10.0
FortiRecon Score 100/100
Known Exploited Yes
Exploit Prediction Score 95.36%
FortiGuard Telemetry Analyzing

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


The FortiGuard is continuously monitoring and investigating the attack to increase protection coverages and reduce the attack surface.

Apr 25, 2024: The FortiGuard Labs noted a significant increase in the detection of IPS signatures through FortiGuard telemetry, blocking attacks on over 10,000+ unique IPS devices targeting the PAN-OS vulnerability (CVE-2024-3400).

Apr 19, 2024: Palo Alto released more information on CVE-2024-3400 and how it was attacked. https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/

Apr 15, 2024: FortiGuard released an IPS signature to detect and block exploitation attempts targeting edge devices. https://www.fortiguard.com/encyclopedia/ips/55555

Apr 12, 2024: FortiGuard published this Outbreak Alert report.

Apr 12, 2024: FortiGuard issued a Threat Signal. https://www.fortiguard.com/threat-signal-report/5423/

Apr 11, 2024: Palo Alto Networks released a security advisory on their GlobalProtect. https://security.paloaltonetworks.com/CVE-2024-3400

Apr 10, 2024: Volexity identified zero-day exploitation of a vulnerability found within the GlobalProtect. https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/

Attack Sequence

Actions taken by cyber attacker or a malicious entity to compromise a target system or network.

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT

  • Lure

  • Decoy VM

  • AV

  • AV (Pre-filter)

  • IPS

DETECT

  • Outbreak Detection

  • Threat Hunting

  • Playbook

RESPOND

  • Assisted Response Services

  • Automated Response

RECOVER

  • NOC/SOC Training

  • End-User Training

IDENTIFY

  • Attack Surface Hardening

  • Inventory Management

  • Business Reputation

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
23.227.194.230 ip Active
1433.eu.org domain Active
154.88.26.223 ip Active
89.187.187.69 ip Active
23.94.158.73 ip Active
212.64.28.57 ip Active
3de2a4392b8715bad070b2ae12243f166ead37830f7c6d2... file Active
5460b51da26c060727d128f3b3d6415d1a4c25af6a29fef... file Active
http://144.172.79.92/ url Active
http://144.172.79.92/update.py url Active
http://172.233.228.93/ url Active
http://172.233.228.93/patch url Active
http://172.233.228.93/policy url Active
144.172.79.92 ip Active
172.233.228.93 ip Active
66.235.168.222 ip Active
089801d87998fa193377b9bfe98e87ff file Active
0c1554888ce9ed0da1583dbdf7b31651 file Active
12b5e30c2276664e87623791085a3221 file Active
427258462c745481c1ae47327182acd3 file Active
5e4c623296125592256630deabdbf1d2 file Active
724c8059c150b0f3d1e0f80370bcfe19 file Active
87312a7173889a8a5258c68cac4817bd file Active
a43e3cf908244f85b237fdbacd8d82d5 file Active
b9f5e9db9eec8d1301026c443363cf6b file Active
d31ec83a5a79451a46e980ebffb6e0e8 file Active
161fd76c83e557269bee39a57baa2ccbbac679f59d9adff... file Active
172.233.228.93:443 ip Active
172.233.228.93:8443 ip Active
35a5f8ac03b0e3865b3177892420cb34233c55240f452f0... file Active
448fbd7b3389fe2aa421de224d065cea7064de0869a0366... file Active
755f5b8bd67d226f24329dc960f59e11cb5735b930b4ed3... file Active
96dbec24ac64e7dd5fef6e2c26214c8fe5be3486d5c92d2... file Active
adba167a9df482aa991faaa0e0cde1182fb9acfbb0dc8d1... file Active
c1a0d380bf55070496b9420b970dfc5c2c4ad0a598083b9... file Active
e315907415eb8cfcf3b6a4cd6602b392a3fe8ee0f79a2d5... file Active
fe07ca449e99827265ca95f9f56ec6543a4c5b712ed5003... file Active
http://172.233.228.93/lowdp url Active
http://172.233.228.93/vpn_prot.gz url Active
http://172.233.228.93/vpn.log url Active
nhdata.s3-us-west-2.amazonaws.com domain Active
198.58.109.149 ip Active
137.118.185.101 ip Active
23.242.208.175 ip Active
71.9.135.100 ip Active
173.255.223.159 ip Active
206.189.14.205 ip Active
710f67d0561c659aecc56b94ee3fc82c967a9647c08451e... file Active
949cfa6514e499e28aa32feba800181558e60455b971206... file Active
ab3b9ec7bdd2e65051076d396d0ce76c1b4d6f3f00807fa... file Active
38.207.148.123 ip Active
110.47.250.103 ip Active
203.160.86.91 ip Active
38.60.218.153 ip Active
edcjn.57fe6f5d9d.ipv6.1433.eu.org domain Active
https://45.121.51.2/abc.txt url Active
srgsd1f.842b727ba4.ipv6.1433.eu.org domain Active
srgsdf.842b727ba4.ipv6.1433.eu.org domain Active
126.227.76.24 ip Active
147.45.70.100 ip Active
149.28.194.95 ip Active
149.88.27.212 ip Active
154.223.16.34 ip Active
199.119.206.28 ip Active
38.180.106.167 ip Active
38.180.128.159 ip Active
38.180.41.251 ip Active
38.181.70.3 ip Active
45.121.51.2 ip Active
64.176.226.203 ip Active
78.141.232.174 ip Active
146.190.114.191 ip Active
103.29.68.12 ip Active
103.29.68.126 ip Active
104.28.157.195 ip Active
104.28.160.182 ip Active
106.104.162.35 ip Active
107.155.55.111 ip Active
107.155.55.118 ip Active
111.204.180.253 ip Active
117.136.111.85 ip Active
121.28.181.90 ip Active
128.199.45.40 ip Active
154.90.49.108 ip Active
165.154.205.202 ip Active
172.233.56.195 ip Active
172.245.240.166 ip Active
176.97.73.198 ip Active
18.143.129.154 ip Active
187.130.181.29 ip Active
193.43.104.199 ip Active
202.103.95.217 ip Active
221.216.117.106 ip Active
35.234.3.5 ip Active
38.180.29.229 ip Active
68.183.227.9 ip Active
8.208.112.87 ip Active
8.222.152.55 ip Active
https://45.121.51.2/ url Active