In recent weeks, cybersecurity researchers have observed a significant uptick in malicious scanning activities targeting a critical vulnerability in Palo Alto Networks’ PAN-OS GlobalProtect feature, identified as CVE-2024-3400. This flaw allows unauthenticated attackers to create arbitrary files on vulnerable systems, potentially leading to operating system command injection and full root code execution on affected firewalls.
Understanding CVE-2024-3400
CVE-2024-3400 is a severe security vulnerability within the PAN-OS software, specifically affecting the GlobalProtect gateway and portal functionalities. The flaw arises from improper validation of session IDs in the GlobalProtect SSL VPN component, enabling attackers to exploit this weakness by sending specially crafted requests to the /ssl-vpn/hipreport.esp endpoint. By doing so, they can create arbitrary files on the system, which can be leveraged to execute malicious commands with root privileges.
Observed Exploitation Attempts
Since late September 2025, global honeypots have recorded thousands of TCP connections probing PAN-OS SSL VPN portals. Notably, a source IP address, 141.98.82.26, has been identified repeatedly issuing malicious POST requests to the /ssl-vpn/hipreport.esp endpoint. These requests exploit the lack of session ID validation by supplying a crafted Cookie header, facilitating the creation of arbitrary files on the target system.
The attack sequence typically involves:
1. Initial Exploitation: The attacker sends a POST request to the /ssl-vpn/hipreport.esp endpoint with a specially crafted Cookie header, leading to the creation of an arbitrary file on the system.
2. Verification: A subsequent GET request is made to access the newly created file, confirming its presence and successful exploitation.
3. Command Execution: The attacker then positions the file in directories that allow for command execution, potentially leading to full system compromise.
These automated scanning and exploitation attempts underscore the critical nature of CVE-2024-3400, which has been assigned a CVSS score of 10.0, indicating its severity and the ease with which it can be exploited over the network without authentication.
Affected Products and Versions
The vulnerability impacts the following PAN-OS versions:
– PAN-OS 10.2: Versions prior to 10.2.9-h1
– PAN-OS 11.0: Versions prior to 11.0.4-h1
– PAN-OS 11.1: Versions prior to 11.1.2-h3
It’s important to note that only on-premises devices with the GlobalProtect gateway or portal enabled are vulnerable. Cloud NGFW and Prisma Access customers are not affected by this issue.
Mitigation Strategies
To protect against potential exploitation of CVE-2024-3400, Palo Alto Networks has released patched versions of PAN-OS:
– PAN-OS 10.2.9-h1
– PAN-OS 11.0.4-h1
– PAN-OS 11.1.2-h3
Administrators are strongly advised to upgrade to these versions immediately to mitigate the risk.
In addition to upgrading, the following measures are recommended:
1. Deploy Threat Prevention Signatures: Implement Threat Prevention signatures 95187, 95189, and 95191 to block initial arbitrary file creation attempts at the GlobalProtect interface.
2. Monitor Logs for Anomalies: Regularly inspect GPSvc logs for unusual session ID strings. Legitimate GUID patterns appear as hex-digit groups; any file-system path or shell snippet between sessions indicates potential exploitation attempts.
3. Verify Configurations: Ensure that the GlobalProtect gateway or portal is configured correctly and audit for unauthorized files in the /var/appweb/sslvpndocs directory.
Detection and Response
To detect potential exploitation attempts, administrators can search GPSvc logs for anomalous session ID strings. Legitimate GUID patterns appear as hex-digit groups; any file-system path or shell snippet between sessions indicates potential exploitation attempts.
A timeline of updates shows that enhanced factory reset (EFR) procedures and CLI commands for evidence collection were published between April and May 2024, underscoring the ongoing remediation efforts.
Conclusion
The active exploitation of CVE-2024-3400 highlights the persistent threats facing network security infrastructure. Organizations utilizing affected versions of PAN-OS with GlobalProtect enabled must prioritize patching and implement the recommended mitigation strategies to safeguard their systems. Continuous monitoring and adherence to best security practices are essential in defending against such vulnerabilities.
