A critical (CVSS 10.0) command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS allows an unauthenticated remote attacker to execute arbitrary code with root privileges on the firewall.
What Is It
CVE-2024-3400 is a command injection flaw arising from arbitrary file creation in the GlobalProtect feature of PAN-OS. In affected versions with specific feature configurations, an unauthenticated attacker reachable over the network can execute arbitrary code as root on the firewall itself. The issue is classified under CWE-77 (Command Injection) and CWE-20 (Improper Input Validation), and carries the maximum CVSS 3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Why It Matters
This is an unauthenticated, network-reachable root RCE on a perimeter security device; the worst-case profile for a firewall vulnerability. CISA added CVE-2024-3400 to the Known Exploited Vulnerabilities catalog on 2024-04-12, the same day it was published, and flags it as having known use in ransomware campaigns. A compromised PAN-OS firewall hands attackers a privileged foothold at the network edge with full visibility into traffic crossing it.
What's Vulnerable
The vulnerability affects specific PAN-OS versions running the GlobalProtect feature under distinct feature configurations. Affected releases documented in the NVD configuration include the PAN-OS 10.2 branch (including 10.2.0 through 10.2.6 and their hotfix builds). Cloud NGFW, Panorama appliances, and Prisma Access are explicitly not impacted.
Refer to the Palo Alto Networks advisory for the full list of affected versions across the 10.2, 11.0, and 11.1 branches and the exact configuration prerequisites (GlobalProtect gateway/portal and, historically, device telemetry).
Patch Status
CISA's required action directed federal agencies to apply vendor mitigations as they became available and, in the interim, to enable the vendor-provided Threat Prevention IDs on vulnerable devices. The CISA remediation due date was 2024-04-19; seven days after the CVE was added to KEV. Patches and a release schedule are published in the Palo Alto Networks security advisory linked below; operators should upgrade to a fixed PAN-OS release rather than relying solely on Threat Prevention signatures.