PAN-OS Command Injection Vulnerability (CVE-2024-3400)

A critical OS Command Injection Vulnerability (CVE-2024-3400) was identified in GlobalProtect Gateway of Palo Alto Networks PAN-OS versions 10.2, 11.0, and 11.1, distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.



  • Command Injection Vulnerability (CVE-2024-3400)


Severity Level

  • Critical (Score: 10, maximum)


Affected Products

  • PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls with the configurations for both GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled.
    • PAN-OS 11.1: < 11.1.2-h3
    • PAN-OS 11.0: < 11.0.4-h1
    • PAN-OS 10.2: < 10.2.9-h1

(Cloud NGFW, Panorama appliances, Prisma Access and all other versions of PAN-OS are not impacted by this vulnerability.)

You can:

    • Verify whether the device has a GlobalProtect gateway configured by checking for entries in the firewall web interface (Network > GlobalProtect > Gateways).
    • Verify whether device telemetry is enabled by checking the firewall web interface (Device > Setup > Telemetry).



  • Fixes are released in PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3 and all later PAN-OS versions.  Affected systems should be patched ASAP to eliminate the potential threat of exploitation.
  • Review and disable Device Telemetry if it is active but unnecessary.
    Please see Disable Device Telemetry ( for details on how to disable device telemetry.
  • Ensure vulnerability protection has been applied to the GlobalProtect interface to prevent exploitation of this issue on the device.
    Please see Applying Vulnerability Protection to GlobalProtect Interfaces (Palo Alto Networks) for more information.
  • Devices with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (available in Applications and Threats content version 8833-8682 and later).







Published on: 13 Apr 2024

Last update on: 15 Apr 2024