PAN-OS GlobalProtect Endpoint Probe (CVE-2024-3400) for 2026-03-02

Mar 02, 2026 WebExploit

Last Updated: 12:16 UTC

CVE-2024-3400 is a command injection in Palo Alto PAN-OS GlobalProtect (CVSS 10.0) allowing unauthenticated RCE via the prelogin endpoint. Exploitation was observed in the wild before the patch was available. Scanners probe /global-protect/prelogin.esp and /login.esp to fingerprint GlobalProtect gateways prior to exploitation.

CVE References

CVE-2024-3400

MITRE ATT&CK

Tactic: Initial Access (TA0001)
Technique: T1190 — Exploit Public-Facing Application

Observed URIs

/global-protect/login.esp
/global-protect/portal/images/3ANAzf32x1kTeXrEZmoFRrB3BTQ.txt
/global-protect/login.esp?user=j%22;-alert(1)-%22x
/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows

Attackers by Country

IP Address : ASN : City/Provider

141.98.80.111 : AS43350 nforce entertainment b.v. : Panama
198.167.197.162 : AS39287 ab stract : Sweden

Share on: