• itscybernews
  • Posts
  • How to Exploit Palo Alto Vulnerability CVE-2024-3400

How to Exploit Palo Alto Vulnerability CVE-2024-3400

Exploiting the Palo Alto Networks PAN-OS Vulnerability

In partnership with

Instantly calculate the time you can save by automating compliance

Whether you’re starting or scaling your security program, Vanta helps you automate compliance across frameworks like SOC 2, ISO 27001, ISO 42001, HIPAA, HITRUST CSF, NIST AI, and more.

Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.

Instantly calculate how much time you can save with Vanta.

Exploiting the PAN-OS Vulnerability

Exploiting the Palo Alto Networks PAN-OS Vulnerability (CVE-2024-3400)

The Palo Alto Networks PAN-OS vulnerability, identified as CVE-2024-3400, has recently gained significant attention due to its severe impact on network security. This critical vulnerability, affecting versions 10.2, 11.0, and 11.1 of PAN-OS with GlobalProtect configured, allows unauthenticated attackers to execute arbitrary code with root privileges, posing a significant threat to affected systems. This blog post delves into the technical aspects of how this vulnerability can be exploited and outlines the steps for safeguarding against such attacks.

Understanding CVE-2024-3400

The CVE-2024-3400 vulnerability stems from improper handling of the SESSID cookie in the GlobalProtect feature of PAN-OS. By manipulating this cookie value, an attacker can create arbitrary files on the system. This capability, when combined with a path traversal technique, enables the attacker to control both the filename and its directory location. This leads to a command injection vulnerability, ultimately allowing for remote code execution with root privileges​​​​​​.

Exploitation Sequence

  1. Initial Exploitation:

    • Cookie Manipulation: The attacker sets a specific value in the SESSID cookie to manipulate PAN-OS into creating a file with a controlled name and location.

    • Path Traversal: Utilizing path traversal techniques, the attacker directs the file creation to a sensitive directory.

  2. Arbitrary File Creation:

  • The crafted SESSID value leads to the creation of a file in a directory like /var/appweb/sslvpndocs/global-protect/portal/images/.

  • Example of a malicious SESSID value:

  1. Command Injection:

    • Once the file is created, it contains commands that are executed with root privileges, allowing the attacker to gain complete control over the firewall.

    • This command injection can be leveraged to download and execute additional payloads, such as the RedTail cryptocurrency mining malware​​.

RedTail Malware Integration

The RedTail malware, known for its cryptocurrency mining capabilities, has integrated this exploit into its arsenal. Upon successful exploitation of CVE-2024-3400, the malware executes commands to retrieve and run a bash script from an external domain. This script then downloads and installs the RedTail payload tailored for the target system's CPU architecture. This sophisticated approach ensures efficient resource utilization for mining operations​​.

Mitigation Strategies

To defend against CVE-2024-3400, the following steps are strongly recommended:

  1. Immediate Software Updates:

    • Upgrade to fixed versions of PAN-OS: 10.2.9-h1, 11.0.4-h1, 11.1.2-h3, or later.

    • Regularly check for and apply any additional patches released by Palo Alto Networks.

  2. Threat Prevention:

    • Utilize Threat IDs 95187, 95189, and 95191 to block exploitation attempts.

    • Ensure that vulnerability protection is applied to the GlobalProtect interface​​.

  3. Monitoring and Logging:

    • Regularly monitor system logs for unusual activity, such as attempts to unmarshal session identifiers containing file paths or shell commands.

    • Use commands like the following to detect suspicious patterns:

      Enhanced Factory Reset:

      • For systems suspected of being compromised, consider performing an enhanced factory reset to remove any persistent threats.


    The CVE-2024-3400 vulnerability in PAN-OS is a critical security flaw that requires immediate attention. By understanding the exploitation mechanics and implementing robust mitigation strategies, organizations can protect their network infrastructures from severe threats like the RedTail cryptocurrency mining malware. Regular updates, proactive monitoring, and comprehensive threat prevention measures are essential to safeguarding against such sophisticated attacks​​.

    For detailed information and updates on this vulnerability, refer to the official Palo Alto Networks security advisory here.

Side note
Get smarter about crypto with our 5 minute daily newsletter, read by 290,000+ people. Subscribe for free!