An uptick in internet-wide scanning activity indicates that threat actors are actively probing for systems vulnerable to CVE-2024-3400, a critical GlobalProtect flaw in Palo Alto Networks PAN-OS.
Security researchers at SANS ISC observed a single source IP address 141.98.82.26, systematically targeting the GlobalProtect portal’s file-upload endpoint in an attempt to place and retrieve session files on firewalls.
Exploitation involves two simple steps. First, an attacker issues a POST request to /ssl-vpn/hipreport.esp containing a manipulated session ID to force creation of a file in the GlobalProtect directory.
Next, a GET request for that file’s path confirms successful upload when the server responds with a “403” status, signaling the file exists albeit without executing any code.
| CVE ID | Description | CVSS 4.0 Score | Affected PAN-OS Versions |
| CVE-2024-3400 | Arbitrary file creation leading to OS command injection | 10.0 | 10.2 (<10.2.0-h3 to <10.2.9-h1) 11.0 (<11.0.0-h3 to <11.0.4-h1) 11.1 (<11.1.0-h3 to <11.1.2-h3) |
In a real attack scenario, adversaries would chain this to a location allowing command execution, achieving root-level control over the firewall.
This vulnerability impacts PAN-OS versions 10.2, 11.0, and 11.1 when configured with a GlobalProtect portal or gateway. Cloud NGFW, Panorama, and Prisma Access are unaffected.
With a perfect CVSS 4.0 score of 10.0 and an “HIGHEST” urgency rating from Palo Alto Networks, this issue demands immediate attention.
Proof-of-concept code has proliferated publicly, and post-exploit persistence techniques have been demonstrated, increasing the stakes for unpatched environments.
Despite the surge in scans, no widespread, confirmed in-the-wild attacks have been reported beyond proof-of-concept exploitation.
However, the ease of automation and lack of required authentication coupled with the vulnerability’s network-accessible nature make it a prime target for opportunistic operators and automated botnets.
Palo Alto Networks has released fixes in PAN-OS 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3, as well as several courtesy hotfixes for other maintenance releases.
Administrators are strongly urged to upgrade immediately. Organizations with a Threat Prevention subscription can also deploy signatures 95187, 95189, and 95191 to block exploit attempts at the GlobalProtect interface. Disabling device telemetry is no longer considered an effective mitigation.
Until patches are applied, defenders should monitor GlobalProtect endpoints for anomalous POST or GET requests to hipreport.esp and /global-protect/portal/images/.
Network intrusion detection systems must alert on unusual user-agent strings or repeated 404/403 response patterns.
Enhanced factory-reset procedures are available via Palo Alto Networks Customer Support for compromised devices that cannot be fully trusted.
With widespread scanning underway and proof-of-concept exploits public, organizations must treat this vulnerability with the utmost urgency to prevent potential full-system compromise.
Continuous monitoring, timely patching, and threat prevention signatures are essential defenses against emerging exploitation attempts.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
