PAN-OS GlobalProtect Endpoint Probe (CVE-2024-3400) for 2026-03-04

Mar 04, 2026 WebExploit

Last Updated: 12:10 UTC

CVE-2024-3400 is a command injection in Palo Alto PAN-OS GlobalProtect (CVSS 10.0) allowing unauthenticated RCE via the prelogin endpoint. Exploitation was observed in the wild before the patch was available. Scanners probe /global-protect/prelogin.esp and /login.esp to fingerprint GlobalProtect gateways prior to exploitation.

CVE References

CVE-2024-3400

MITRE ATT&CK

Tactic: Initial Access (TA0001)
Technique: T1190 — Exploit Public-Facing Application

Observed URIs

/global-protect/login.esp
/global-protect/portal/images/3ASxYa7wFx6D5QDikQXHm2Ptnbj.txt
/global-protect/login.esp?user=j%22;-alert(1)-%22x

Attackers by Country

IP Address : ASN : City/Provider

198.167.197.194 : AS39287 ab stract : Sweden

Share on: