PAN-OS GlobalProtect Endpoint Probe (CVE-2024-3400) for 2023-06-02

Last Updated: 12:00 UTC

CVE-2024-3400 is a command injection in Palo Alto PAN-OS GlobalProtect (CVSS 10.0) allowing unauthenticated RCE via the prelogin endpoint. Exploitation was observed in the wild before the patch was available. Scanners probe /global-protect/prelogin.esp and /login.esp to fingerprint GlobalProtect gateways prior to exploitation.

CVE References

CVE-2024-3400

MITRE ATT&CK

Tactic: Initial Access (TA0001)
Technique: T1190 — Exploit Public-Facing Application

Observed URIs

• /global-protect/login.esp

Attackers by Country

IP Address : ASN : City/Provider

• 89.248.168.36 : AS202425 ip volume inc : Amsterdam