An internet-wide scanning campaign targeting Palo Alto Networks’ GlobalProtect portal signals that threat actors are probing for vulnerable firewalls to exploit CVE-2024-3400, a critical arbitrary file creation flaw in PAN-OS.
Security researchers at SANS ISC detected a single source IP address (141.98.82.26) systematically issuing crafted POST and GET requests against the GlobalProtect file-upload endpoint, underscoring the ease of automation and the urgency of patching impacted systems.
Scanning Activity and Exploitation Steps
Researchers observed two straightforward steps leveraged by attackers:
- File Creation via POST
A manipulated session ID is sent in a POST request to/ssl-vpn/hipreport.esp, forcing the creation of a session file within the GlobalProtect directory. - File Confirmation via GET
A subsequent GET request for the uploaded file’s path elicits a “403 Forbidden” response, confirming the file exists without executing code.
These actions allow adversaries to confirm arbitrary file placement.
In a real-world attack, this would be chained to execute OS commands, enabling root-level control over the firewall.
CVE Details and Impact
| CVE ID | Description | CVSS 4.0 Score | Affected PAN-OS Versions |
|---|---|---|---|
| CVE-2024-3400 | Arbitrary file creation leading to OS command injection | 10.0 | 10.2 (<10.2.0-h3 to <10.2.9-h1) |
| 11.0 (<11.0.0-h3 to <11.0.4-h1) | |||
| 11.1 (<11.1.0-h3 to <11.1.2-h3) |
This flaw affects PAN-OS versions configured with a GlobalProtect portal or gateway. Cloud NGFW, Panorama, and Prisma Access are not vulnerable.
Palo Alto Networks has assigned a perfect CVSS 4.0 score of 10.0 and an “HIGHEST” urgency rating.
Public proof-of-concept exploits and persistence techniques have already surfaced, heightening risk to unpatched environments.
Although no widespread, confirmed in-the-wild breaches have been reported beyond proof-of-concept, the vulnerability’s network-accessible nature and lack of authentication requirement make it a prime target for opportunistic operators and botnets.
Recommended Actions:
- Upgrade Immediately: Apply updates to PAN-OS versions 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3. Courtesy hotfixes for other maintenance releases are also available.
- Deploy Threat Prevention Signatures: Organizations with a Threat Prevention subscription should enable signatures 95187, 95189, and 95191 to block exploit attempts at the GlobalProtect interface.
- Monitor Anomalous Requests: Watch for POST or GET requests to
hipreport.espand/global-protect/portal/images/, and alert on unusual user-agent strings or repeated 403/404 response patterns. - Enhanced Recovery: For potentially compromised devices, follow enhanced factory-reset procedures provided by Palo Alto Networks Customer Support.
With scanning activity surging and exploit code public, organizations must prioritize continuous monitoring, timely patching, and deployment of threat prevention signatures to thwart potential full-system compromise.
Failure to address CVE-2024-3400 immediately could result in root-level control of critical network security infrastructure.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=Security researchers at SANS ISC detected a single source IP address (141.98.82.26) systematically issuing crafted POST){kind=link}