PAN-OS GlobalProtect Command Injection Vulnerability

Released: Apr 12, 2024

Updated: Apr 26, 2024


Critical Severity

Palo Alto Vendor

Attack, Vulnerability Type


An actively exploited critical vulnerability in the PAN-OS Global Protect

The attack on PAN-OS GlobalProtect devices identified as CVE-2024-3400 allows a malicious actor to remotely exploit an unauthenticated command injection vulnerability that leads to remote code execution. Once established, the attacker can further collect configurations, deliver malware payloads and move laterally and internally. Learn More »

Common Vulnerabilities and Exposures

CVE-2024-3400

Background

The GlobalProtect Gateway provides security solution for roaming users by extending the same next-generation firewall-based policies.

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


The FortiGuard is continuously monitoring and investigating the attack to increase protection coverages and reduce the attack surface.

April 15, 2024: FortiGuard released an IPS signature to detect and block exploitation attempts targetting edge devices.
Also, FortiGuard published an Outbreak walkthrough video.
https://www.fortiguard.com/encyclopedia/ips/55555

April 12, 2024: FortiGuard published this Outbreak Alert report.

April 12, 2024: FortiGuard issued a Threat Signal.
https://www.fortiguard.com/threat-signal-report/5423/pan-os-critical-flaw-in-globalprotect-gateway-cve-2024-3400

April 11, 2024: Palo Alto Networks released a security advisory on their GlobalProtect.
https://security.paloaltonetworks.com/CVE-2024-3400

April 10, 2024: Volexity identified zero-day exploitation of a vulnerability found within the GlobalProtect.
https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT
  • Lure

  • Decoy VM

  • AV

  • Web App Security

  • IPS

DETECT
  • IOC

  • Outbreak Detection

  • Threat Hunting

  • Playbook

RESPOND
  • Automated Response

  • Assisted Response Services

RECOVER
  • NOC/SOC Training

  • End-User Training

IDENTIFY
  • Attack Surface Hardening

  • Business Reputation

  • Attack Surface Monitoring (Inside & Outside)

  • Inventory Management

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
23.227.194.230 ip Active
1433.eu.org domain Active
154.88.26.223 ip Active
89.187.187.69 ip Active
134.213.29.14 ip Active
209.141.42.131 ip Active
www.megtech.xyz domain Active
138.68.90.19 ip Active
78f6f94aaa72e41d64e4dc309a3553399db2b4cd0edae56... file Active
ec59616b1c80951d6597d4f25a9c031be0391151dc1073a... file Active
68.170.165.36 ip Active
79.110.62.25 ip Active
209.141.50.215 ip Active
forticloud.online domain Active
fortigate.forticloud.online domain Active
login.forticloud.online domain Active
193.222.96.163 ip Active
534c989d110ece8c429d2ded913933b961710726d8655b8... file Active
23.94.158.73 ip Active
a001642046a6e99ab2b412d96020a243a221e3819eaac94... file Active
45.76.65.42 ip Active
185.216.70.138 ip Active
c6c250e1cd6d5477b46871ffe17deac248d723ad45687fc... file Active
212.64.28.57 ip Active
8eb3617768ce4693b726bb8187e5cccea3359de0196d6f2... file Active
217.195.153.178 ip Active
3de2a4392b8715bad070b2ae12243f166ead37830f7c6d2... file Active
5460b51da26c060727d128f3b3d6415d1a4c25af6a29fef... file Active
http://144.172.79.92/ url Active
http://144.172.79.92/update.py url Active
http://172.233.228.93/ url Active
http://172.233.228.93/patch url Active
http://172.233.228.93/policy url Active
144.172.79.92 ip Active
172.233.228.93 ip Active
66.235.168.222 ip Active
089801d87998fa193377b9bfe98e87ff file Active
0c1554888ce9ed0da1583dbdf7b31651 file Active
12b5e30c2276664e87623791085a3221 file Active
427258462c745481c1ae47327182acd3 file Active
5e4c623296125592256630deabdbf1d2 file Active
724c8059c150b0f3d1e0f80370bcfe19 file Active
87312a7173889a8a5258c68cac4817bd file Active
a43e3cf908244f85b237fdbacd8d82d5 file Active
b9f5e9db9eec8d1301026c443363cf6b file Active
d31ec83a5a79451a46e980ebffb6e0e8 file Active
161fd76c83e557269bee39a57baa2ccbbac679f59d9adff... file Active
172.233.228.93:443 ip Active
172.233.228.93:8443 ip Active
35a5f8ac03b0e3865b3177892420cb34233c55240f452f0... file Active
448fbd7b3389fe2aa421de224d065cea7064de0869a0366... file Active
755f5b8bd67d226f24329dc960f59e11cb5735b930b4ed3... file Active
96dbec24ac64e7dd5fef6e2c26214c8fe5be3486d5c92d2... file Active
adba167a9df482aa991faaa0e0cde1182fb9acfbb0dc8d1... file Active
c1a0d380bf55070496b9420b970dfc5c2c4ad0a598083b9... file Active
e315907415eb8cfcf3b6a4cd6602b392a3fe8ee0f79a2d5... file Active
fe07ca449e99827265ca95f9f56ec6543a4c5b712ed5003... file Active
http://172.233.228.93/lowdp url Active
http://172.233.228.93/vpn_prot.gz url Active
http://172.233.228.93/vpn.log url Active
198.58.109.149 ip Active
137.118.185.101 ip Active
23.242.208.175 ip Active
71.9.135.100 ip Active
173.255.223.159 ip Active
e3aab908800cb4601bc4a87ac9ac48d816ced57cdb409b6... file Active
206.189.14.205 ip Active
710f67d0561c659aecc56b94ee3fc82c967a9647c08451e... file Active
949cfa6514e499e28aa32feba800181558e60455b971206... file Active
ab3b9ec7bdd2e65051076d396d0ce76c1b4d6f3f00807fa... file Active
38.207.148.123 ip Active
110.47.250.103 ip Active
203.160.86.91 ip Active
38.60.218.153 ip Active
edcjn.57fe6f5d9d.ipv6.1433.eu.org domain Active
https://45.121.51.2/abc.txt url Active
srgsd1f.842b727ba4.ipv6.1433.eu.org domain Active
srgsdf.842b727ba4.ipv6.1433.eu.org domain Active
126.227.76.24 ip Active
147.45.70.100 ip Active
149.28.194.95 ip Active
149.88.27.212 ip Active
154.223.16.34 ip Active
199.119.206.28 ip Active
38.180.106.167 ip Active
38.180.128.159 ip Active
38.180.41.251 ip Active
38.181.70.3 ip Active
45.121.51.2 ip Active
64.176.226.203 ip Active
78.141.232.174 ip Active
94.156.79.129 ip Active
107.152.33.113 ip Active
109.120.178.253:443 ip Inactive
146.190.114.191 ip Active
103.29.68.12 ip Active
103.29.68.126 ip Active
104.28.157.195 ip Active
104.28.160.182 ip Active
106.104.162.35 ip Active
Indicators of compromise Indicators of compromise
IOC Threat Activity

Last 30 days

Chg

Avg 0