CVE2024

CVE-2024-3400

2Rules

4References

1Folders

2025-11-22Latest

Summary

CVE-2024-3400 is tracked here through 2 Sigma detections for exploitation attempts and related post-exploitation behavior observed in 2024. Coverage centers on paloalto / appliance / globalprotect, paloalto / file_event / globalprotect.

Related Detections

Search this threat

Emerging Threathightest

Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection

Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect. This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.

paloaltoapplianceglobalprotect

TA0001 · Initial AccessTA0003 · PersistenceTA0004 · Privilege EscalationTA0005 · Stealth+2

Nasreddine Bencherchali (Nextron Systems)Thu Apr 182024

Emerging Threatmediumtest

Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation

Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled. As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.

paloaltoFile Eventglobalprotect

TA0002 · Executioncve.2024-3400detection.emerging-threats

Andreas Braathen (mnemonic.io)Thu Apr 252024

References

Resolving title…

security.paloaltonetworks.com