Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot. Learn more

Palo Alto Networks PAN-OS Zero-Day Active Exploit: What You Need to Know

Palo Alto Networks issued a warning on April 12, 2024, that a critical, unpatched vulnerability in their PAN-OS firewall is being actively exploited.
Varonis Threat Labs
2 min read
Last updated April 16, 2024
PAN-OS Zero-Day Active Exploit

Palo Alto Networks has warned that a critical, unpatched vulnerability in their PAN-OS firewall is being actively exploited.

CVE-2024-3400 is a critical vulnerability for Palo Alto Networks PAN-OS software — specifically impacting devices that run major versions of PAN-OS 10.2, 11.0, and 11.1.

The vulnerability allows for command injection by remote unauthenticated attackers that enable threat actors to run commands with elevated privileges on affected devices. This flaw requires no special privileges or user interaction to exploit.

CVE-2024-3400 does not affect cloud firewalls (Cloud NGFW), Panorama appliances, or Prisma Access. An overview of the impact can be seen in the table below:


This issue is estimated to be fixed in an upcoming release of PAN-OS 10.2, 11.0, 11.1, and all later PAN-OS versions by April 14, 2024. 

Is CVE-2024-3400 being actively exploited in the wild?

Yes, this CVE is being actively exploited. An initial exploitation under the name Operation Midnight Eclipse has been attributed to a single threat actor.

There is high confidence that other threat actors will attempt exploitation in the future.

What does this mean for my organization?

If you are a Palo Alto Networks customer with PAN-OS, it's recommended to closely monitor your network for abnormal activity and investigate any unexpected activity. A list of known IOCs associated with exploitation attempts/post-exploitation is available here.  In the interim, Palo Alto recommends the following mitigation measures: 

  • Customers with an active Threat Prevention subscription can block attacks related to this vulnerability by enabling Threat ID 95187
  • Additionally, ensure that vulnerability protection is applied to the GlobalProtect interface to prevent exploitation on affected devices 

If your organization is unable to apply the Threat Prevention mitigation, there’s an alternative.

The vulnerability only exists if both a GlobalProtect gateway is configured (Network -> GlobalProtect ->Gateways) and device telemetry is enabled (Device -> Setup -> Telemetry). Customers can mitigate the impact of this vulnerability by temporarily disabling device telemetry (and then re-enable it once the hotfix is applied). 

As of April 16, 2024, Palo Alto Networks has begun issuing hotfixes to remediate this vulnerability for their various PAN-OS release versions. Check Palo Alto Networks Security Advisories to determine if a patch is available for your current PAN-OS version or an estimate for when a patch is expected if one is not yet available. 

Currently, hotfixes are available for the following versions: 

  • 10.2.9-h1 
  • 10.2.8-h3 
  • 10.2.7-h8 
  • 11.0.4-h1 
  • 11.1.2-h3

How can Varonis Help?

With Varonis Edge, customers can protect themselves and their network security by taking the following actions:

  • Monitor Varonis for alerts generated from Palo Alto infrastructure specifically or related service accounts 
  • Audit all activity originating from Palo Alto infrastructure to verify no abnormal device, user, or file access has occurred 
  • Monitor DNS requests originating from Palo Alto infrastructure to ensure no anomalous or suspicious requests have been generated 
  • Monitor Proxy events originating from Palo Alto infrastructure to ensure no anomalous or suspicious events have been generated 

If you have our network monitoring product and are using Varonis' cloud-hosted offering, our threat research team is proactively hunting for threats. They review your Varonis logs for suspicious activity and will contact you if needed.

If you are a Palo Alto Networks customer and want assistance hunting for IOCs in PAN-OS, please reach out to our team


What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

Threat Update 31 – Now are the Zero Days of our Discontent
Three new Zero Day vulnerabilities recently discovered in F5 products, and Microsoft Office 365 let attackers skip the password and authentication completely.
Exploiting BGInfo to Infiltrate a Corporate Network
This post details how a clever attacker can embed a path to a malicious script within a BGInfo config file (.bgi), bypass email security, and execute code remotely.
Threat Update 36 – A Supply Chain Attack By Any Other Name
Kilian and Ryan look at a supply chain attack that silently stole cloud credentials for several months before detection.
How to Configure Varonis and EMC Isilon
Customers of EMC’s popular Isilon storage platform have been clamoring for sophisticated controls around their sensitive, regulated content—e.g., SOX, PCI, intellectual property, etc.  Varonis is the perfect fit.  With our...