Defender support for CVE-2024-3400 affecting Palo Alto Networks firewalls
Published Apr 14 2024 05:09 PM 4,615 Views

On April 12, Palo Alto Networks released a security advisory on CVE-2024-3400, a critical vulnerability affecting several versions of PAN-OS, the operating system that runs on the company’s firewalls. According to the vendor advisory, the vulnerability may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Starting April 14, 2024, patches are expected to become available.







Command Injection Vulnerability in the GlobalProtect Gateway feature of PAN-OS



Note: Palo Alto Networks customers are only vulnerable if they are using PAN-OS 10.2, PAN-OS 11.0, and/or PAN-OS 11.1 firewalls with the configurations for both GlobalProtect gateway and/or GlobalProtect portal and device telemetry enabled.

Palo Alto Networks’ advisory indicates that CVE-2024-3400 has been exploited in the wild in “a limited number of attacks.” The company has given the vulnerability their highest urgency rating. Palo Alto Networks has released an in-depth blog on the scope of the attack, indicators of compromise, and adversary behavior observations. We highly recommend reviewing both the blog and the advisory for latest information. 

Identify affected devices with Defender Vulnerability Management

The following Advanced Hunting query provides a list of the potentially vulnerable devices with PAN-OS affected versions:



| where SoftwareName has "pan-os"

| where SoftwareVersion startswith "11.1." or SoftwareVersion startswith "11.0." or SoftwareVersion startswith "10.2."

| summarize by DeviceId, DeviceName, SoftwareName, SoftwareVersion

Identify affected multi-cloud resources with Defender for Cloud 

To identify affected multi-cloud resources using Defender for Cloud, you can utilize the Security Explorer feature. This will help detect all cloud resources affected by the vulnerability in Azure, AWS, and GCP.  To get started, use this query


Cloud security explorer in Defender for CloudCloud security explorer in Defender for Cloud


Mitigation guidance

For additional information and the latest remediation guidance, please see Palo Alto Networks’ advisory.
This issue is fixed in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. Hotfixes for other commonly deployed maintenance releases will also be made available to address this issue. Please see details for ETAs regarding the upcoming hotfixes in the security advisory.

We will update this blog with information and guidance as needed.


Version history
Last update:
‎Apr 15 2024 07:34 AM
Updated by: