Palo Alto Networks Warns of Exploited SSL VPN Vulnerability
Palo Alto Networks has warned of a critical vulnerability in its PAN-OS SSL VPN, which has been exploited by attackers since late September 2025. The vulnerability, identified as CVE-2024-3400, affects on-premises PAN-OS 10.2-11.1 devices with GlobalProtect gateway or portal enabled.
Attackers are exploiting an arbitrary file creation flaw to achieve OS command injection and ultimately full root code execution on vulnerable firewalls. The attack involves manipulating POST requests to bypass session ID validation on the endpoint. Prominent source IP, 141.98.82.26, has been repeatedly observed issuing malicious POST requests. Administrators are advised to upgrade to the fixed PAN-OS versions (10.2.9-h1, 11.0.4-h1, 11.1.2-h3) and deploy Threat Prevention signatures (95187, 95189, 95191) to block exploitation attempts. Operators should inspect GPSvc logs for anomalous session ID strings to detect exploitation attempts. Attackers are pivoting file placement to directories, allowing command execution on compromised systems. Organizations should verify their configuration and audit for unauthorized files in /var/appweb/sslvpndocs to prevent unauthorized root-level access.
The vulnerability, CVE-2024-3400, poses a significant risk to organizations using affected PAN-OS devices. Palo Alto Networks has released fixed versions to mitigate the issue, and organizations are urged to upgrade and implement additional security measures to protect against exploitation attempts.
Read also:
- Reporter of Silenced Torment or Individual Recording Suppressed Agony
- Australia, US Bolster Cybersecurity Ties, Worry Over Chinese Hackers
- JPMorgan Chase Announces Plans for a Digital Bank Launch in Germany's Retail Sector
- Urgent Action: Users of Smartphones Advised to Instantly Erase Specific Messages, as per FBI Admonition
