Advanced

Palo Alto PAN-OS RCE Vulnerability: What You Should Know

This briefing covered a critical, actively exploited zero-day command injection vulnerability affecting the GlobalProtect VPN gateway feature of Palo Alto Networks' PAN-OS firewall software.

Table of Contents

Module 1: The Palo Alto PAN-OS GlobalProtect Command Injection Vulnerability

Background: Palo Alto Networks and PAN-OS

Palo Alto Networks is a vendor of network security appliances. It offers an enterprise cybersecurity platform that provides network security, cloud security, endpoint protection, and various cloud-delivered security solutions.

PAN-OS is the operating system that runs on all of Palo Alto’s next-generation firewalls. It bundles a range of technologies that give visibility into, and control over, application traffic across all users and devices within an enterprise network. Palo Alto Networks has been an established player in the network security appliance space for a long time, and PAN-OS firewalls are widely deployed as edge/perimeter devices in enterprise environments.

flowchart TD
    A[Palo Alto Networks] --> B[Enterprise Cybersecurity Platform]
    B --> C[Network Security]
    B --> D[Cloud Security]
    B --> E[Endpoint Protection]
    B --> F[Cloud-Delivered Security Services]
    C --> G[PAN-OS - Next-Gen Firewall Software]
    G --> H[Application Visibility and Control]
    G --> I[GlobalProtect - VPN Technology]

What Happened: Zero-Day Discovery in GlobalProtect

One of the technologies built into PAN-OS is GlobalProtect, which functions as the platform’s VPN solution, providing legitimate users with secure remote access to an organization’s corporate systems.

On April 10th, the security research firm Volexity identified that zero-day exploitation of a vulnerability had taken place within GlobalProtect on one of its customers’ networks. Volexity worked with Palo Alto Networks to uncover the root cause, which was ultimately determined to be an OS command injection vulnerability.

Command injection vulnerabilities allow an attacker to execute arbitrary commands on a target operating system, often without any requirement to authenticate. This class of vulnerability arises when an application passes unsafe or unsanitized user-supplied data to a system shell.

sequenceDiagram
    participant Attacker
    participant GlobalProtect as GlobalProtect Gateway (PAN-OS)
    participant OS as Underlying Operating System
    participant Network as Internal Enterprise Network

    Attacker->>GlobalProtect: Crafted request containing malicious, unsanitized input
    GlobalProtect->>OS: Unsafe input passed directly to system shell
    OS->>OS: Arbitrary OS command injection executed
    Note over OS: GlobalProtect runs with root-level privileges
    OS-->>Attacker: Arbitrary command execution with root privileges
    Attacker->>Network: Pivot / lateral movement using root-level foothold

Affected Versions and Prerequisites

This vulnerability is applicable only to specific PAN-OS firewall configurations, not to the entire product line. It requires all of the following conditions to be true:

ConditionRequirement
PAN-OS version10.2, 11.0, or 11.1
Feature configurationGlobalProtect gateway must be configured and in use
Additional settingDevice telemetry must be enabled
Not affectedCloud firewalls
Not affectedPanorama appliances
Not affectedPrisma Access
flowchart TD
    Start([Is the device affected?]) --> V{PAN-OS version<br/>10.2, 11.0, or 11.1?}
    V -- No --> Safe1[Not affected]
    V -- Yes --> G{GlobalProtect gateway<br/>configured?}
    G -- No --> Safe2[Not affected]
    G -- Yes --> T{Device telemetry<br/>enabled?}
    T -- No --> Safe3[Not affected]
    T -- Yes --> Vulnerable[Vulnerable configuration]

Concurrent High-Severity Vulnerabilities

It has been a difficult period for Palo Alto Networks. Around the same time this critical vulnerability emerged, four additional high-severity vulnerabilities were also disclosed:

#VulnerabilityImpact
1Denial of service flawCauses the firewall to reboot and enter maintenance mode, requiring manual intervention to bring the device back online
2Denial of service flawSame reboot/maintenance-mode impact as #1
3Packet-flood denial of serviceA more complex issue: an attacker sends a burst of malicious packets through the firewall, stopping it from processing traffic
4Cloud Identity Engine data-handling flawRelated to how PAN-OS processes data received from Cloud Identity Engine agents; enables modification of user ID groups, which can lead to denial of access or overly permissive access to resources

Overall Impact: Root-Level Compromise

The vulnerability under discussion affects a VPN appliance — a device used specifically to provide legitimate users with secure remote access to an organization’s corporate systems. GlobalProtect runs with root-level privileges by design, which means that any code executed via a successful exploit will also run with root privileges.

If an attacker exploits this vulnerability, they can gain a foothold into the entire enterprise network with root-level privileges. This represents a significant risk to the confidentiality, integrity, and availability of systems and data across the network.

mindmap
  root((Root-Level GlobalProtect Compromise))
    Confidentiality
      Credential theft
      Sensitive data exfiltration
    Integrity
      Unauthorized configuration changes
      Backdoor / persistence installation
    Availability
      Denial of service
      Device taken offline for remediation
    Privilege Level
      Root access on the firewall
      Pivot point into internal network

Why Command Injection Vulnerabilities Are So Common

Command injection vulnerabilities are prevalent because they arise from poor coding practices and a failure to properly sanitize user input. According to MITRE’s CVE database, there were 146 vulnerabilities with assigned CVEs labeled as OS command injection in just over the first three months of the year in question — a little over three months’ worth of disclosures.

A recent, well-known example of the same vulnerability class is the command injection vulnerability found in the web components of Ivanti’s Connect Secure and Policy Secure products, which allowed an unauthenticated administrator to send specially crafted requests and execute arbitrary commands on the target appliance.

Edge appliances such as VPN gateways are a particularly attractive target for this vulnerability class because they typically lack the protection mechanisms and endpoint detection and response (EDR) capabilities that would otherwise help mitigate exploitation.

flowchart LR
    A[Poor input sanitization in code] --> B[User-supplied data passed unsafely to system shell]
    B --> C[OS Command Injection Vulnerability]
    C --> D[Common in edge appliances / VPN gateways]
    D --> E[No EDR / limited protection mechanisms on appliance]
    E --> F[Attractive, high-value attacker target]

Exploitation Observed in the Wild

Volexity originally identified exploitation of a zero-day in one of its customers’ networks on April 10th. As Volexity broadened its investigation, it identified successful exploitation across multiple other customers and organizations dating back to March 26th.

The investigation concluded that the earliest activity appeared to be a threat actor testing the vulnerability — placing zero-byte-size files onto firewall devices to validate exploitability. The attacker was also observed attempting, and on that occasion failing, to deploy a backdoor onto the target device.

A few days later, the same attacker was observed exploiting a device again, and this time succeeded in deploying a malicious payload.

sequenceDiagram
    participant Attacker
    participant Firewall as Vulnerable GlobalProtect Firewall

    Note over Attacker,Firewall: March 26 - Reconnaissance / Testing Phase
    Attacker->>Firewall: Exploit attempt - place zero-byte test file
    Firewall-->>Attacker: Confirms exploitability
    Attacker->>Firewall: Attempt to deploy backdoor
    Firewall-->>Attacker: Backdoor deployment fails

    Note over Attacker,Firewall: A few days later - Successful Exploitation
    Attacker->>Firewall: Exploit + deploy malicious payload
    Firewall-->>Attacker: Payload successfully installed
    Note over Attacker,Firewall: April 10 - Volexity identifies active exploitation in a customer network

An open question raised during the risk-assessment discussion of this incident is how long a threat actor might have had a presence on a compromised network before detection — a consideration that mirrors long-dwell-time nation-state intrusion campaigns and reinforces the need for thorough post-compromise investigation rather than assuming a short window of exposure.

CVSS Scoring Breakdown

The vulnerability received the maximum possible CVSS score: 10.0 (Critical).

CVSS MetricValueRationale
Attack Vector (AV)NetworkThe vulnerability can be exploited across a network — no local or physical access is required
Attack Complexity (AC)LowThis is a low-complexity attack
Privileges Required (PR)NoneNo privileges are required to exploit the vulnerability
User Interaction (UI)NoneNo user interaction is required
Confidentiality Impact (C)HighRoot-level code execution exposes all data on the device/network
Integrity Impact (I)HighAn attacker can modify configuration, data, or install backdoors
Availability Impact (A)HighAn attacker can disrupt or disable the firewall entirely
Overall Score10.0 / CriticalNetwork vector + low complexity + no privileges + no user interaction + high C/I/A = maximum score
flowchart TD
    A[Attack Vector: Network] --> S[CVSS Base Score]
    B[Attack Complexity: Low] --> S
    C[Privileges Required: None] --> S
    D[User Interaction: None] --> S
    E[Confidentiality Impact: High] --> S
    F[Integrity Impact: High] --> S
    G[Availability Impact: High] --> S
    S --> R[Resulting Score: 10.0 - Critical]

Risk Assessment: How Are You Affected?

To assess organizational exposure to this vulnerability, the following structured approach is recommended:

  1. Asset inventory — Maintain a good-quality, up-to-date inventory of assets and other system/network information. Know which assets are the most important and where they are located.
  2. Protection level review — Determine how those critical assets are being protected. Are they treated the same as all other assets, or do additional controls apply to them?
  3. Tabletop exercise — Walk through a tabletop exercise that assumes exploitation of the vulnerability has already occurred. Ask:
    • Could an attacker reach those assets?
    • If so, what could they do — encrypt, delete, change, or steal them?
  4. Backup strategy review — Assuming compromise does occur, what does the backup strategy look like? This includes having good-quality backups and a well-practiced process for restoring those backups.
flowchart TD
    A[Start Risk Assessment] --> B[Maintain up-to-date asset inventory]
    B --> C[Identify most important assets and locations]
    C --> D{Are critical assets protected<br/>with additional controls?}
    D -- No --> E[Apply additional protective controls]
    D -- Yes --> F[Run tabletop exercise assuming exploitation]
    E --> F
    F --> G{Could an attacker reach the asset?}
    G -- Yes --> H[Assess possible impact: encrypt / delete / modify / steal]
    G -- No --> I[Document rationale, continue monitoring]
    H --> J[Review backup strategy and restoration process]
    I --> J
    J --> K[Practice backup restoration regularly]

Running a tabletop exercise like this builds organizational muscle memory for incident response — teams get progressively better at responding the more they practice. Many organizations either lack an asset inventory entirely or have one that isn’t kept up to date; simply having a list is not sufficient, it must be actively maintained.

Indicators of Compromise

A number of single-value indicators of compromise (IOCs) have been identified, specific to the exploitation activity observed between late March and early April:

  • IP addresses used by attackers for hosting malicious files and interacting with compromised devices (command-and-control infrastructure).
  • File hashes recovered from the attackers’ tooling, including:
    • A web shell
    • Reverse shell scripts
    • Post-exploitation scripts
  • Network traffic indicators, including:
    • Files downloaded via HTTP requests
    • RDP connections originating from the compromised firewall

Data downloaded by attackers has included:

  • Chrome/Edge browser data — presumably targeting stored credentials, access tokens, and other sensitive information saved in the browser.
  • The domain’s NTDS.dit file — Microsoft’s Active Directory database, which contains usernames and password hashes for every user in the domain.
flowchart LR
    A[Compromised GlobalProtect Firewall] --> B[Web Shell Deployed]
    B --> C[Reverse Shell / Post-Exploitation Scripts]
    C --> D[Data Exfiltration]
    D --> E[Browser Credential Data<br/>Chrome / Edge]
    D --> F[NTDS.dit - Active Directory Database]
    F --> G[All domain usernames + password hashes obtained]
    D --> H[C2 Infrastructure: attacker-controlled IPs]

Obtaining browser-saved passwords gives an attacker direct access to whatever credentials a user has stored. Exfiltrating the NTDS.dit file is even more severe: it requires comparatively little additional effort to extract every domain credential from that single file, effectively giving the attacker all the credentials needed for further compromise of the environment.

Immediate Remediation Actions

Palo Alto Networks has issued hot-fix releases of PAN-OS for the affected versions. However, some appliances may still be waiting for those fixes to be applied.

If a fix cannot be applied immediately, two workarounds are available:

flowchart TD
    A[Vulnerable PAN-OS GlobalProtect Gateway] --> B{Can hot-fix be applied now?}
    B -- Yes --> C[Apply Palo Alto hot-fix release]
    B -- No --> D{Threat Prevention subscription active?}
    D -- Yes --> E["Block attacks using Threat ID 95187<br/>(ensure vulnerability protection applied to GlobalProtect interface)"]
    D -- No --> F[Temporarily disable device telemetry]
    F --> G[Re-enable telemetry once PAN-OS is upgraded to a fixed version]
    E --> H[Continue monitoring until hot-fix is applied]
    C --> I[Device remediated]
OptionApplicabilityAction
Apply hot-fixPreferred, all customersUpgrade to the patched PAN-OS release for the affected version
Threat Prevention workaroundCustomers with a Threat Prevention subscriptionBlock attacks using Threat ID 95187; vulnerability protection must be applied to the GlobalProtect interface
Disable telemetry workaroundCustomers without Threat Prevention subscription, or unable to apply the aboveTemporarily disable device telemetry until the device is upgraded; re-enable telemetry once upgraded

Follow-On Actions and Long-Term Best Practices

Beyond immediate remediation, the following general security best practices are recommended:

  1. Maintain a good-quality, up-to-date asset inventory — including the appliance/application, its current version, and relevant configuration information. This makes it quick and simple to determine impact when a new vulnerability like this is disclosed.
  2. Review backup strategy — it took several days for a patch to become available for this vulnerability, and patches for some appliances were still pending. That gap leaves a window open for attackers to act, so organizations must be prepared for that possibility.
  3. Review organizational preparedness, asking:
    • Were you sufficiently resourced to step up monitoring and implement workarounds until a patch was available?
    • Were you ready to move into the incident response phase if needed?
    • Did you have a source of reliable information about the vulnerability and known exploitation attempts?
    • Were you able to gain sufficient situational awareness in your own environment based on that information?
mindmap
  root((Long-Term Best Practices))
    Asset Inventory
      Keep current version data
      Track configuration details
      Enables fast impact assessment
    Backup Strategy
      Good quality backups
      Documented restoration plan
      Regularly practiced/tested
    Organizational Readiness
      Monitoring capacity during patch gap
      Incident response readiness
      Reliable threat intelligence sources
      Situational awareness in own environment

Backup plans that are documented but never practiced amount to little more than a “backup prayer” — practicing the restoration process, just like a tabletop exercise, builds the muscle memory needed to restore systems quickly when an incident actually occurs. Beyond building that muscle memory, exercising these plans also helps uncover gaps and weaknesses in response and recovery processes, giving organizations the opportunity to continuously improve and be better prepared the next time a similar incident occurs.

Summary

This briefing covered a critical, actively exploited zero-day command injection vulnerability affecting the GlobalProtect VPN gateway feature of Palo Alto Networks’ PAN-OS firewall software.

Key facts:

  • Root cause: OS command injection caused by unsanitized user-supplied input being passed to a system shell.
  • Affected configurations: PAN-OS 10.2, 11.0, and 11.1 firewalls with a GlobalProtect gateway configured and device telemetry enabled. Cloud firewalls, Panorama appliances, and Prisma Access are not affected.
  • Severity: CVSS 10.0 (Critical) — network vector, low complexity, no privileges required, no user interaction, and high impact to confidentiality, integrity, and availability.
  • Privilege level: GlobalProtect runs with root-level privileges, so successful exploitation grants an attacker root access on the firewall itself.
  • Active exploitation: First observed as reconnaissance/testing activity on March 26th, escalating to successful payload deployment days later, with broader exploitation identified by Volexity on April 10th.
  • Post-exploitation activity: Deployment of web shells and reverse/post-exploitation scripts, exfiltration of browser-stored credentials, and theft of the Active Directory NTDS.dit database.
  • Remediation: Palo Alto Networks hot-fix releases are available; Threat ID 95187 (with a Threat Prevention subscription) or temporarily disabling device telemetry are viable interim workarounds.

Mitigation Checklist

  • Identify all PAN-OS firewalls running versions 10.2, 11.0, or 11.1.
  • Determine which of those firewalls have a GlobalProtect gateway configured.
  • Determine which of those firewalls have device telemetry enabled.
  • Apply the relevant Palo Alto Networks hot-fix release as soon as possible.
  • If unable to patch immediately and a Threat Prevention subscription is active, apply Threat ID 95187 and confirm vulnerability protection is applied to the GlobalProtect interface.
  • If no Threat Prevention subscription is available, temporarily disable device telemetry until the device can be upgraded.
  • Re-enable device telemetry once the device has been upgraded to a fixed PAN-OS version.
  • Search for known IOCs: suspicious outbound connections to attacker-controlled IPs, web shell/reverse shell file hashes, anomalous HTTP downloads, and RDP sessions originating from the firewall itself.
  • Check for exfiltration of browser credential stores and the NTDS.dit Active Directory database.
  • Maintain an up-to-date asset inventory including appliance versions and configuration details.
  • Review and test backup and restoration procedures for affected systems.
  • Run a tabletop exercise assuming exploitation has occurred, and use it to identify gaps in monitoring, response, and recovery processes.
  • Confirm your organization has reliable, timely sources of vulnerability and threat intelligence, and the capacity to act on them quickly.

Search Terms

palo · alto · pan-os · rce · vulnerability · know · briefings · networking · systems · security · actions · affected · command · compromise · globalprotect · injection · vulnerabilities

More Vulnerability Briefings courses

View all 30

Interested in this course?

Contact us to book it or get a custom training plan for your team.