Palo Alto Networks firewalls are known for their advanced security capabilities. Yet like any internet-exposed appliance, PAN-OS — their operating system — is regularly affected by critical vulnerabilities. In 2024, a zero-day triggered a global crisis for security teams.
PAN-OS: A Ubiquitous System
PAN-OS powers Palo Alto Networks' Next-Generation Firewalls (NGFW), used by thousands of enterprises as their first line of defense. Its key components — GlobalProtect (VPN), Panorama (management), and the admin portal — are regularly internet-exposed and therefore targeted.
CVE-2024-3400: The 2024 Zero-Day (CVSS 10.0)
The Vulnerability
In April 2024, Palo Alto Networks disclosed CVE-2024-3400 — an OS command injection in PAN-OS's GlobalProtect Gateway feature. Maximum CVSS score: 10.0.
An unauthenticated attacker can create files with specially crafted names via the GlobalProtect interface, triggering arbitrary command execution with root privileges.
Affected versions:
- PAN-OS 10.2 (< 10.2.9-h1)
- PAN-OS 11.0 (< 11.0.4-h1)
- PAN-OS 11.1 (< 11.1.2-h3)
Condition: Both GlobalProtect Gateway AND device telemetry must be enabled.
Zero-Day Exploitation
The group UTA0218 (attributed to a nation-state) was exploiting CVE-2024-3400 since mid-March 2024 — three weeks before disclosure. Attackers deployed a Python backdoor called UPSTYLE to:
- Maintain persistent access
- Exfiltrate VPN configurations and credentials
- Pivot into victims' internal networks
The operation was dubbed "Operation MidnightEclipse" by Palo Alto Unit 42.
Immediate Workaround
Before the patch, Palo Alto provided a workaround:
Disable device telemetry:
Device → Setup → Telemetry → uncheck all options
CVE-2022-0028: DDoS Amplification (CVSS 8.6)
A misconfiguration in PAN-OS allowed Palo Alto firewalls to be used as reflected DDoS amplifiers. An attacker could send forged requests to the firewall to generate amplified response traffic toward a third-party target.
Affected PAN-OS 8.1, 9.0, 9.1, 10.0, 10.1, 10.2 with specific security policies.
CVE-2021-3064: RCE in GlobalProtect (CVSS 9.8)
A buffer overflow in the GlobalProtect portal enabled pre-authenticated remote code execution. Affected PAN-OS 8.1 with GlobalProtect enabled.
CVE-2020-2021: SAML Auth Bypass (CVSS 10.0)
A critical authentication bypass in PAN-OS's SAML verification. Affected all appliances using SSO authentication via SAML, allowing anyone to authenticate without valid credentials.
The NSA and CISA issued a joint alert on this vulnerability, widely exploited by Russian APT groups (Fancy Bear / APT28).
Monitoring PAN-OS CVEs
Check Your Current Version
# Via PAN-OS CLI
show system info | match sw-version
Information Sources
- Palo Alto Security Advisories: security.paloaltonetworks.com
- Unit 42 Threat Research: unit42.paloaltonetworks.com
- CISA Known Exploited Vulnerabilities: cisa.gov/known-exploited-vulnerabilities
PAN-OS Security Best Practices
1. Restrict Management Interface Access
NEVER expose the management interface (port 443/4443) on a WAN interface:
Network → Interfaces → [WAN interface]
Management Profile → Uncheck HTTPS, SSH
Use a dedicated out-of-band management network.
2. Disable Unused Services
If you're not using GlobalProtect:
Network → GlobalProtect → Portals → Disable
Network → GlobalProtect → Gateways → Disable
3. Enable Automatic Content Updates
Device → Dynamic Updates → PAN-OS Software → Schedule
Content updates (signatures, threat prevention) should be automatic even if PAN-OS software updates require a maintenance window.
4. Enable Threat Prevention on All Policies
PAN-OS's power comes from its security profiles. Ensure Threat Prevention is active on all internet traffic policies.
5. Use Panorama for Centralized Management
Panorama enables simultaneous patch deployment across all your firewalls, reducing the exposure window.
Panorama and Management CVEs
The Panorama management interface has its own vulnerabilities:
- CVE-2024-0008: Auth bypass in Panorama (CVSS 9.8) — 2024
- CVE-2022-0030: Auth bypass in Panorama (CVSS 9.8)
If Panorama is internet-exposed, it represents an additional risk vector.
Register your Palo Alto appliances in your asset inventory on cveo.tech to be alerted as soon as a new PAN-OS CVE is published.