Scanning campaign targets critical Palo Alto GlobalProtect vulnerability
Take action: If you still haven't patched your Palo Alto Networks firewalls with GlobalProtect VPN since 2024, you are probably hacked. Nevertheless, make sure to update IMMEDIATELY. Also check for indicators of compromise and if you have any suspicion, make a full factory-reset per Palo Alto support instructions.
Learn More
Security researchers detect a significant surge in internet-wide scanning activity targeting a critical vulnerability in the GlobalProtect feature of PAN-OS software.
The targeted flaw is tracked as CVE-2024-3400 (CVSS score 10.0), an arbitrary file creation vulnerability that enables command injection, allowing unauthenticated attackers to execute arbitrary code with root privileges on vulnerable firewalls. The vulnerability affects only PAN-OS versions 10.2, 11.0, and 11.1 configured with GlobalProtect gateway or GlobalProtect portal (or both).
Security researchers at SANS ISC and SANS Technology Institute have documented thousands of TCP connections probing PAN-OS SSL VPN portals since late September 2025, with a single source IP address (141.98.82.26) systematically conducting automated exploitation attempts.
Attackers first manipulate the session ID validation mechanism by sending a crafted POST request to the /ssl-vpn/hipreport.esp endpoint. This request includes a malicious Cookie header that forces the creation of a session file within the GlobalProtect directory structure. The attacker then issues a subsequent GET request for the uploaded file's path, typically to locations such as /global-protect/portal/images/. When this request returns an HTTP 403 Forbidden response, it confirms the arbitrary file has been successfully placed on the system without executing code. In real-world attack scenarios, adversaries chain this file placement capability to directories that allow OS command execution, ultimately achieving root-level control over the firewall infrastructure.
Organizations can verify their exposure to this vulnerability by checking their firewall web interface under Network > GlobalProtect > Gateways/Portals for any configured GlobalProtect gateway or portal entries. Administrators should also audit the /var/appweb/sslvpndocs directory for unauthorized files and examine GPSvc logs for anomalous session ID strings. Legitimate session patterns appear as GUID hex-digit groups, while any file-system paths or shell command snippets between session markers indicate exploitation attempts. The following CLI command can help identify attempted exploit activity: grep pattern "failed to unmarshal session(.\+.\/" mp-log gpsvc.log*
Palo Alto Networks has released fixed versions to address this critical vulnerability, including PAN-OS 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3, along with courtesy hotfixes for other maintenance releases. Immediate upgrading to these patched versions is strongly recommended.
For devices that may have been compromised, Palo Alto Networks Customer Support provides enhanced factory-reset procedures to ensure complete remediation.
