PAN-OS GlobalProtect Endpoint Probe (CVE-2024-3400) for 2022-12-03

Last Updated: 12:00 UTC

CVE-2024-3400 is a command injection in Palo Alto PAN-OS GlobalProtect (CVSS 10.0) allowing unauthenticated RCE via the prelogin endpoint. Exploitation was observed in the wild before the patch was available. Scanners probe /global-protect/prelogin.esp and /login.esp to fingerprint GlobalProtect gateways prior to exploitation.

CVE References

CVE-2024-3400

MITRE ATT&CK

Tactic: Initial Access (TA0001)
Technique: T1190 — Exploit Public-Facing Application

Observed URIs

• /global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows

Attackers by Country

IP Address : ASN : City/Provider

• 166.1.15.176 : AS61317 digital energy technologies ltd. : United States of America