Table of Contents
- Module 1: The Palo Alto PAN-OS GlobalProtect Command Injection Vulnerability
- Background: Palo Alto Networks and PAN-OS
- What Happened: Zero-Day Discovery in GlobalProtect
- Affected Versions and Prerequisites
- Concurrent High-Severity Vulnerabilities
- Overall Impact: Root-Level Compromise
- Why Command Injection Vulnerabilities Are So Common
- Exploitation Observed in the Wild
- CVSS Scoring Breakdown
- Risk Assessment: How Are You Affected?
- Indicators of Compromise
- Immediate Remediation Actions
- Follow-On Actions and Long-Term Best Practices
- Summary
Module 1: The Palo Alto PAN-OS GlobalProtect Command Injection Vulnerability
Background: Palo Alto Networks and PAN-OS
Palo Alto Networks is a vendor of network security appliances. It offers an enterprise cybersecurity platform that provides network security, cloud security, endpoint protection, and various cloud-delivered security solutions.
PAN-OS is the operating system that runs on all of Palo Alto’s next-generation firewalls. It bundles a range of technologies that give visibility into, and control over, application traffic across all users and devices within an enterprise network. Palo Alto Networks has been an established player in the network security appliance space for a long time, and PAN-OS firewalls are widely deployed as edge/perimeter devices in enterprise environments.
flowchart TD
A[Palo Alto Networks] --> B[Enterprise Cybersecurity Platform]
B --> C[Network Security]
B --> D[Cloud Security]
B --> E[Endpoint Protection]
B --> F[Cloud-Delivered Security Services]
C --> G[PAN-OS - Next-Gen Firewall Software]
G --> H[Application Visibility and Control]
G --> I[GlobalProtect - VPN Technology]
What Happened: Zero-Day Discovery in GlobalProtect
One of the technologies built into PAN-OS is GlobalProtect, which functions as the platform’s VPN solution, providing legitimate users with secure remote access to an organization’s corporate systems.
On April 10th, the security research firm Volexity identified that zero-day exploitation of a vulnerability had taken place within GlobalProtect on one of its customers’ networks. Volexity worked with Palo Alto Networks to uncover the root cause, which was ultimately determined to be an OS command injection vulnerability.
Command injection vulnerabilities allow an attacker to execute arbitrary commands on a target operating system, often without any requirement to authenticate. This class of vulnerability arises when an application passes unsafe or unsanitized user-supplied data to a system shell.
sequenceDiagram
participant Attacker
participant GlobalProtect as GlobalProtect Gateway (PAN-OS)
participant OS as Underlying Operating System
participant Network as Internal Enterprise Network
Attacker->>GlobalProtect: Crafted request containing malicious, unsanitized input
GlobalProtect->>OS: Unsafe input passed directly to system shell
OS->>OS: Arbitrary OS command injection executed
Note over OS: GlobalProtect runs with root-level privileges
OS-->>Attacker: Arbitrary command execution with root privileges
Attacker->>Network: Pivot / lateral movement using root-level foothold
Affected Versions and Prerequisites
This vulnerability is applicable only to specific PAN-OS firewall configurations, not to the entire product line. It requires all of the following conditions to be true:
| Condition | Requirement |
|---|---|
| PAN-OS version | 10.2, 11.0, or 11.1 |
| Feature configuration | GlobalProtect gateway must be configured and in use |
| Additional setting | Device telemetry must be enabled |
| Not affected | Cloud firewalls |
| Not affected | Panorama appliances |
| Not affected | Prisma Access |
flowchart TD
Start([Is the device affected?]) --> V{PAN-OS version<br/>10.2, 11.0, or 11.1?}
V -- No --> Safe1[Not affected]
V -- Yes --> G{GlobalProtect gateway<br/>configured?}
G -- No --> Safe2[Not affected]
G -- Yes --> T{Device telemetry<br/>enabled?}
T -- No --> Safe3[Not affected]
T -- Yes --> Vulnerable[Vulnerable configuration]
Concurrent High-Severity Vulnerabilities
It has been a difficult period for Palo Alto Networks. Around the same time this critical vulnerability emerged, four additional high-severity vulnerabilities were also disclosed:
| # | Vulnerability | Impact |
|---|---|---|
| 1 | Denial of service flaw | Causes the firewall to reboot and enter maintenance mode, requiring manual intervention to bring the device back online |
| 2 | Denial of service flaw | Same reboot/maintenance-mode impact as #1 |
| 3 | Packet-flood denial of service | A more complex issue: an attacker sends a burst of malicious packets through the firewall, stopping it from processing traffic |
| 4 | Cloud Identity Engine data-handling flaw | Related to how PAN-OS processes data received from Cloud Identity Engine agents; enables modification of user ID groups, which can lead to denial of access or overly permissive access to resources |
Overall Impact: Root-Level Compromise
The vulnerability under discussion affects a VPN appliance — a device used specifically to provide legitimate users with secure remote access to an organization’s corporate systems. GlobalProtect runs with root-level privileges by design, which means that any code executed via a successful exploit will also run with root privileges.
If an attacker exploits this vulnerability, they can gain a foothold into the entire enterprise network with root-level privileges. This represents a significant risk to the confidentiality, integrity, and availability of systems and data across the network.
mindmap
root((Root-Level GlobalProtect Compromise))
Confidentiality
Credential theft
Sensitive data exfiltration
Integrity
Unauthorized configuration changes
Backdoor / persistence installation
Availability
Denial of service
Device taken offline for remediation
Privilege Level
Root access on the firewall
Pivot point into internal network
Why Command Injection Vulnerabilities Are So Common
Command injection vulnerabilities are prevalent because they arise from poor coding practices and a failure to properly sanitize user input. According to MITRE’s CVE database, there were 146 vulnerabilities with assigned CVEs labeled as OS command injection in just over the first three months of the year in question — a little over three months’ worth of disclosures.
A recent, well-known example of the same vulnerability class is the command injection vulnerability found in the web components of Ivanti’s Connect Secure and Policy Secure products, which allowed an unauthenticated administrator to send specially crafted requests and execute arbitrary commands on the target appliance.
Edge appliances such as VPN gateways are a particularly attractive target for this vulnerability class because they typically lack the protection mechanisms and endpoint detection and response (EDR) capabilities that would otherwise help mitigate exploitation.
flowchart LR
A[Poor input sanitization in code] --> B[User-supplied data passed unsafely to system shell]
B --> C[OS Command Injection Vulnerability]
C --> D[Common in edge appliances / VPN gateways]
D --> E[No EDR / limited protection mechanisms on appliance]
E --> F[Attractive, high-value attacker target]
Exploitation Observed in the Wild
Volexity originally identified exploitation of a zero-day in one of its customers’ networks on April 10th. As Volexity broadened its investigation, it identified successful exploitation across multiple other customers and organizations dating back to March 26th.
The investigation concluded that the earliest activity appeared to be a threat actor testing the vulnerability — placing zero-byte-size files onto firewall devices to validate exploitability. The attacker was also observed attempting, and on that occasion failing, to deploy a backdoor onto the target device.
A few days later, the same attacker was observed exploiting a device again, and this time succeeded in deploying a malicious payload.
sequenceDiagram
participant Attacker
participant Firewall as Vulnerable GlobalProtect Firewall
Note over Attacker,Firewall: March 26 - Reconnaissance / Testing Phase
Attacker->>Firewall: Exploit attempt - place zero-byte test file
Firewall-->>Attacker: Confirms exploitability
Attacker->>Firewall: Attempt to deploy backdoor
Firewall-->>Attacker: Backdoor deployment fails
Note over Attacker,Firewall: A few days later - Successful Exploitation
Attacker->>Firewall: Exploit + deploy malicious payload
Firewall-->>Attacker: Payload successfully installed
Note over Attacker,Firewall: April 10 - Volexity identifies active exploitation in a customer network
An open question raised during the risk-assessment discussion of this incident is how long a threat actor might have had a presence on a compromised network before detection — a consideration that mirrors long-dwell-time nation-state intrusion campaigns and reinforces the need for thorough post-compromise investigation rather than assuming a short window of exposure.
CVSS Scoring Breakdown
The vulnerability received the maximum possible CVSS score: 10.0 (Critical).
| CVSS Metric | Value | Rationale |
|---|---|---|
| Attack Vector (AV) | Network | The vulnerability can be exploited across a network — no local or physical access is required |
| Attack Complexity (AC) | Low | This is a low-complexity attack |
| Privileges Required (PR) | None | No privileges are required to exploit the vulnerability |
| User Interaction (UI) | None | No user interaction is required |
| Confidentiality Impact (C) | High | Root-level code execution exposes all data on the device/network |
| Integrity Impact (I) | High | An attacker can modify configuration, data, or install backdoors |
| Availability Impact (A) | High | An attacker can disrupt or disable the firewall entirely |
| Overall Score | 10.0 / Critical | Network vector + low complexity + no privileges + no user interaction + high C/I/A = maximum score |
flowchart TD
A[Attack Vector: Network] --> S[CVSS Base Score]
B[Attack Complexity: Low] --> S
C[Privileges Required: None] --> S
D[User Interaction: None] --> S
E[Confidentiality Impact: High] --> S
F[Integrity Impact: High] --> S
G[Availability Impact: High] --> S
S --> R[Resulting Score: 10.0 - Critical]
Risk Assessment: How Are You Affected?
To assess organizational exposure to this vulnerability, the following structured approach is recommended:
- Asset inventory — Maintain a good-quality, up-to-date inventory of assets and other system/network information. Know which assets are the most important and where they are located.
- Protection level review — Determine how those critical assets are being protected. Are they treated the same as all other assets, or do additional controls apply to them?
- Tabletop exercise — Walk through a tabletop exercise that assumes exploitation of the vulnerability has already occurred. Ask:
- Could an attacker reach those assets?
- If so, what could they do — encrypt, delete, change, or steal them?
- Backup strategy review — Assuming compromise does occur, what does the backup strategy look like? This includes having good-quality backups and a well-practiced process for restoring those backups.
flowchart TD
A[Start Risk Assessment] --> B[Maintain up-to-date asset inventory]
B --> C[Identify most important assets and locations]
C --> D{Are critical assets protected<br/>with additional controls?}
D -- No --> E[Apply additional protective controls]
D -- Yes --> F[Run tabletop exercise assuming exploitation]
E --> F
F --> G{Could an attacker reach the asset?}
G -- Yes --> H[Assess possible impact: encrypt / delete / modify / steal]
G -- No --> I[Document rationale, continue monitoring]
H --> J[Review backup strategy and restoration process]
I --> J
J --> K[Practice backup restoration regularly]
Running a tabletop exercise like this builds organizational muscle memory for incident response — teams get progressively better at responding the more they practice. Many organizations either lack an asset inventory entirely or have one that isn’t kept up to date; simply having a list is not sufficient, it must be actively maintained.
Indicators of Compromise
A number of single-value indicators of compromise (IOCs) have been identified, specific to the exploitation activity observed between late March and early April:
- IP addresses used by attackers for hosting malicious files and interacting with compromised devices (command-and-control infrastructure).
- File hashes recovered from the attackers’ tooling, including:
- A web shell
- Reverse shell scripts
- Post-exploitation scripts
- Network traffic indicators, including:
- Files downloaded via HTTP requests
- RDP connections originating from the compromised firewall
Data downloaded by attackers has included:
- Chrome/Edge browser data — presumably targeting stored credentials, access tokens, and other sensitive information saved in the browser.
- The domain’s
NTDS.ditfile — Microsoft’s Active Directory database, which contains usernames and password hashes for every user in the domain.
flowchart LR
A[Compromised GlobalProtect Firewall] --> B[Web Shell Deployed]
B --> C[Reverse Shell / Post-Exploitation Scripts]
C --> D[Data Exfiltration]
D --> E[Browser Credential Data<br/>Chrome / Edge]
D --> F[NTDS.dit - Active Directory Database]
F --> G[All domain usernames + password hashes obtained]
D --> H[C2 Infrastructure: attacker-controlled IPs]
Obtaining browser-saved passwords gives an attacker direct access to whatever credentials a user has stored. Exfiltrating the NTDS.dit file is even more severe: it requires comparatively little additional effort to extract every domain credential from that single file, effectively giving the attacker all the credentials needed for further compromise of the environment.
Immediate Remediation Actions
Palo Alto Networks has issued hot-fix releases of PAN-OS for the affected versions. However, some appliances may still be waiting for those fixes to be applied.
If a fix cannot be applied immediately, two workarounds are available:
flowchart TD
A[Vulnerable PAN-OS GlobalProtect Gateway] --> B{Can hot-fix be applied now?}
B -- Yes --> C[Apply Palo Alto hot-fix release]
B -- No --> D{Threat Prevention subscription active?}
D -- Yes --> E["Block attacks using Threat ID 95187<br/>(ensure vulnerability protection applied to GlobalProtect interface)"]
D -- No --> F[Temporarily disable device telemetry]
F --> G[Re-enable telemetry once PAN-OS is upgraded to a fixed version]
E --> H[Continue monitoring until hot-fix is applied]
C --> I[Device remediated]
| Option | Applicability | Action |
|---|---|---|
| Apply hot-fix | Preferred, all customers | Upgrade to the patched PAN-OS release for the affected version |
| Threat Prevention workaround | Customers with a Threat Prevention subscription | Block attacks using Threat ID 95187; vulnerability protection must be applied to the GlobalProtect interface |
| Disable telemetry workaround | Customers without Threat Prevention subscription, or unable to apply the above | Temporarily disable device telemetry until the device is upgraded; re-enable telemetry once upgraded |
Follow-On Actions and Long-Term Best Practices
Beyond immediate remediation, the following general security best practices are recommended:
- Maintain a good-quality, up-to-date asset inventory — including the appliance/application, its current version, and relevant configuration information. This makes it quick and simple to determine impact when a new vulnerability like this is disclosed.
- Review backup strategy — it took several days for a patch to become available for this vulnerability, and patches for some appliances were still pending. That gap leaves a window open for attackers to act, so organizations must be prepared for that possibility.
- Review organizational preparedness, asking:
- Were you sufficiently resourced to step up monitoring and implement workarounds until a patch was available?
- Were you ready to move into the incident response phase if needed?
- Did you have a source of reliable information about the vulnerability and known exploitation attempts?
- Were you able to gain sufficient situational awareness in your own environment based on that information?
mindmap
root((Long-Term Best Practices))
Asset Inventory
Keep current version data
Track configuration details
Enables fast impact assessment
Backup Strategy
Good quality backups
Documented restoration plan
Regularly practiced/tested
Organizational Readiness
Monitoring capacity during patch gap
Incident response readiness
Reliable threat intelligence sources
Situational awareness in own environment
Backup plans that are documented but never practiced amount to little more than a “backup prayer” — practicing the restoration process, just like a tabletop exercise, builds the muscle memory needed to restore systems quickly when an incident actually occurs. Beyond building that muscle memory, exercising these plans also helps uncover gaps and weaknesses in response and recovery processes, giving organizations the opportunity to continuously improve and be better prepared the next time a similar incident occurs.
Summary
This briefing covered a critical, actively exploited zero-day command injection vulnerability affecting the GlobalProtect VPN gateway feature of Palo Alto Networks’ PAN-OS firewall software.
Key facts:
- Root cause: OS command injection caused by unsanitized user-supplied input being passed to a system shell.
- Affected configurations: PAN-OS 10.2, 11.0, and 11.1 firewalls with a GlobalProtect gateway configured and device telemetry enabled. Cloud firewalls, Panorama appliances, and Prisma Access are not affected.
- Severity: CVSS 10.0 (Critical) — network vector, low complexity, no privileges required, no user interaction, and high impact to confidentiality, integrity, and availability.
- Privilege level: GlobalProtect runs with root-level privileges, so successful exploitation grants an attacker root access on the firewall itself.
- Active exploitation: First observed as reconnaissance/testing activity on March 26th, escalating to successful payload deployment days later, with broader exploitation identified by Volexity on April 10th.
- Post-exploitation activity: Deployment of web shells and reverse/post-exploitation scripts, exfiltration of browser-stored credentials, and theft of the Active Directory
NTDS.ditdatabase. - Remediation: Palo Alto Networks hot-fix releases are available; Threat ID 95187 (with a Threat Prevention subscription) or temporarily disabling device telemetry are viable interim workarounds.
Mitigation Checklist
- Identify all PAN-OS firewalls running versions 10.2, 11.0, or 11.1.
- Determine which of those firewalls have a GlobalProtect gateway configured.
- Determine which of those firewalls have device telemetry enabled.
- Apply the relevant Palo Alto Networks hot-fix release as soon as possible.
- If unable to patch immediately and a Threat Prevention subscription is active, apply Threat ID 95187 and confirm vulnerability protection is applied to the GlobalProtect interface.
- If no Threat Prevention subscription is available, temporarily disable device telemetry until the device can be upgraded.
- Re-enable device telemetry once the device has been upgraded to a fixed PAN-OS version.
- Search for known IOCs: suspicious outbound connections to attacker-controlled IPs, web shell/reverse shell file hashes, anomalous HTTP downloads, and RDP sessions originating from the firewall itself.
- Check for exfiltration of browser credential stores and the
NTDS.ditActive Directory database. - Maintain an up-to-date asset inventory including appliance versions and configuration details.
- Review and test backup and restoration procedures for affected systems.
- Run a tabletop exercise assuming exploitation has occurred, and use it to identify gaps in monitoring, response, and recovery processes.
- Confirm your organization has reliable, timely sources of vulnerability and threat intelligence, and the capacity to act on them quickly.
Search Terms
palo · alto · pan-os · rce · vulnerability · know · briefings · networking · systems · security · actions · affected · command · compromise · globalprotect · injection · vulnerabilities