Palo Alto GlobalProtect SSL VPN: Comprehensive CVE and Vulnerability Analysis
📑 Table of Contents
- Executive Summary
- Critical CVEs and Vulnerabilities
- Configuration File and Credential Exposure
- XSS and SQL Injection Vulnerabilities
- Default Credentials
- Palo Alto Expedition Vulnerabilities
- Backdoor Analysis
- Penetration Testing Checklist
- Red Team Operational Tips
- Burp Suite PoC Examples
- Mitigation and Hardening
- References
📋 Executive Summary
Palo Alto Networks GlobalProtect SSL VPN and related PAN-OS infrastructure contain multiple critical vulnerabilities that enable remote code execution, authentication bypass, credential theft, and configuration exposure. This comprehensive analysis documents all known CVEs, proof-of-concepts, exploitation techniques, and provides actionable penetration testing methodologies for security professionals.
🔴 Critical CVEs and Vulnerabilities
CVE-2024-3400: GlobalProtect Command Injection (CRITICAL - CVSS 10.0)
Severity: CRITICAL (CVSS 10.0)
Published: April 11, 2024
Type: Arbitrary File Creation & Command Injection
Authentication Required: No
Network Accessible: Yes
Description
A command injection vulnerability in the GlobalProtect feature of PAN-OS allows an unauthenticated attacker to execute arbitrary OS commands with root privileges. The vulnerability results from improper validation of user-supplied input in the GlobalProtect gateway, which can be exploited to create arbitrary files and execute commands.
Affected Versions
| Product | Affected Versions | Patched Versions |
|---|---|---|
| PAN-OS 11.0 | < 11.0.3 | >= 11.0.3 |
| PAN-OS 10.2 | < 10.2.5 | >= 10.2.5 |
| PAN-OS 10.1 | < 10.1.11 | >= 10.1.11 |
| PAN-OS 9.1 | < 9.1.14 | >= 9.1.14 |
Exploitation Status
ACTIVELY EXPLOITED IN THE WILD - This vulnerability has been exploited by multiple threat actors including the group behind Operation MidnightEclipse.
Impact
- Complete remote code execution as root user
- Installation of persistent backdoors
- Lateral movement to internal networks
- Data exfiltration from firewall and connected systems
- Modification of firewall policies and configurations
Proof of Concept Concept
The vulnerability can be exploited by sending a specially crafted request to the GlobalProtect gateway portal. The attack vector involves manipulating the portal configuration parameters to inject OS commands.
GitHub Exploit Repositories
- https://github.com/retkoussa/CVE-2024-3400
- https://github.com/Chocapikk/CVE-2024-3400
- https://github.com/W01fh4cker/CVE-2024-3400-RCE-Scan
Remediation
- Upgrade PAN-OS to patched versions immediately
- Implement network access controls to restrict GlobalProtect portal access
- Monitor for suspicious GlobalProtect gateway activity
- Assume breach if exploitation is detected
CVE-2025-0108: Authentication Bypass (CRITICAL - CVSS 9.8)
Severity: CRITICAL (CVSS 9.8)
Published: February 12, 2025
Type: Authentication Bypass in Management Interface
Authentication Required: No
Exploitation Status: ACTIVELY EXPLOITED
Description
An authentication bypass vulnerability in the management web interface of PAN-OS enables an unauthenticated attacker with network access to bypass authentication and gain administrative access to the firewall. This allows complete compromise of the device.
Impact
- Unauthorized administrative access to firewall management interface
- Complete firewall configuration modification
- Credential theft from firewall database
- Installation of backdoors and persistence mechanisms
- Network policy modification enabling data exfiltration
GitHub Exploit Repositories
CVE-2024-3388: User Impersonation (HIGH - CVSS 8.6)
Severity: HIGH (CVSS 8.6)
Published: April 2024
Type: User Impersonation in GlobalProtect
Description
A vulnerability in GlobalProtect allows an attacker to impersonate legitimate users, potentially gaining unauthorized access to resources and performing actions on behalf of other users.
CVE-2024-9474: PAN-OS Privilege Escalation
Severity: MEDIUM (CVSS 6.9)
Published: November 18, 2024
Type: Privilege Escalation
Authentication Required: Yes (Administrator)
Description
A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges.
Impact
An authenticated administrator can escalate privileges to root, gaining complete control over the firewall.
CVE-2025-0111: PAN-OS Authenticated File Read
Severity: HIGH (CVSS 7.1)
Published: February 12, 2025
Type: Authenticated File Read
Authentication Required: Yes
Description
An authenticated file read vulnerability in the management web interface of the Palo Alto Networks PAN-OS software enables an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the “nobody” user.
Impact
An attacker can read sensitive files on the filesystem, potentially leading to the disclosure of configuration details, credentials, or other sensitive information.
📁 Configuration File and Credential Exposure
CVE-2024-8687: Cleartext Exposure of GlobalProtect Portal Passcodes
Severity: MEDIUM (CVSS 6.9)
Published: September 11, 2024
Description
An information exposure vulnerability enables GlobalProtect end users to extract both the configured uninstall password and the disable/disconnect passcode. These credentials are stored in a manner accessible to local users, allowing them to bypass VPN enforcement policies.
Affected Configurations
- GlobalProtect portals with "Allow with Passcode" settings enabled
- Systems with uninstall password protection configured
- GlobalProtect App versions prior to patched releases
Workarounds
- Change "Allow User to Disable GlobalProtect App" to "Allow with Ticket"
- Change "Allow user to disconnect GlobalProtect App" to "Allow with Ticket"
- Change "Allow User to Uninstall GlobalProtect App" to "Disallow"
CVE-2025-4235: User-ID Credential Agent Password Exposure
Severity: MEDIUM (CVSS 4.2 - 7.2)
Published: September 10, 2025
Description
The User-ID Credential Agent (Windows-based) exposes service account passwords under specific non-default configurations. An unprivileged Domain User can escalate privileges by exploiting the exposed credentials.
Impact Varies by Service Account Privileges
- Minimally Privileged: Disruption of User-ID Agent operations
- Elevated Accounts: Server control, domain manipulation, network compromise
Affected Versions
- User-ID Credential Agent 11.0.2-133 through 11.0.2-* (before 11.0.3)
🔍 XSS and SQL Injection Vulnerabilities
CVE-2025-0133: Reflected XSS in GlobalProtect
Type: Reflected Cross-Site Scripting (XSS)
Description
A reflected XSS vulnerability in the GlobalProtect gateway and portal features allows attackers to execute malicious JavaScript in users' browsers. This can be exploited for phishing attacks and credential theft.
Attack Vector
Attackers craft malicious links containing JavaScript payloads and trick users into clicking them. When clicked, the JavaScript executes in the context of the GlobalProtect portal.
Mitigation
- Apply Threat Prevention signatures 510003 and 510004
- Educate users about suspicious links
- Implement email filtering for phishing attempts
CVE-2024-5920: Stored XSS in PAN-OS
Severity: LOW (CVSS 4.6)
Published: November 13, 2024
Description
A stored XSS vulnerability enables an authenticated read-write Panorama administrator to push a malicious configuration to a PAN-OS node. This enables impersonation of legitimate administrators.
Affected Versions
| Product | Affected | Patched |
|---|---|---|
| PAN-OS 11.1 | < 11.1.4 | >= 11.1.4 |
| PAN-OS 11.0 | < 11.0.6 | >= 11.0.6 |
| PAN-OS 10.2 | < 10.2.10-h14 or < 10.2.11 | >= 10.2.10-h14 or >= 10.2.11 |
| PAN-OS 10.1 | < 10.1.14 | >= 10.1.14 |
CVE-2024-9465: SQL Injection in Palo Alto Expedition
Severity: CRITICAL (CVSS 9.2)
Published: October 9, 2024
Exploitation Status: ACTIVELY EXPLOITED (CISA Known Exploited Vulnerabilities)
Description
An SQL injection vulnerability in Palo Alto Expedition allows an unauthenticated attacker to access the Expedition database, revealing sensitive information including password hashes, usernames, device configurations, and API keys.
Exploitation
The vulnerability can be exploited by injecting malicious SQL queries into input parameters. Attackers can also create and read arbitrary files on the Expedition system.
Impact
- Complete access to all firewall credentials stored in Expedition
- Extraction of device API keys
- Reading of arbitrary files on the system
- Potential remote code execution
GitHub Exploit Repository
🔑 Default Credentials
Factory Default Credentials for Palo Alto Networks Devices
| Component | Username | Password | Notes |
|---|---|---|---|
| PAN-OS Web GUI | admin | admin | Must be changed on first login (PAN-OS 9.0.4+) |
| PAN-OS CLI | admin | admin | Must be changed on first login (PAN-OS 9.0.4+) |
| Management Interface IP | N/A | N/A | Default: 192.168.1.1 /24 |
⚠️ Palo Alto Expedition: Multiple Critical Vulnerabilities
Palo Alto Expedition is a configuration migration tool used to migrate firewall configurations. Multiple critical vulnerabilities expose firewall credentials and enable remote code execution.
PAN-SA-2024-0010: Five Critical Expedition Vulnerabilities
Severity: CRITICAL (CVSS 9.9)
Published: October 9, 2024
Exploitation Status: ACTIVELY EXPLOITED
Vulnerability Summary
| CVE | CVSS | Type | Description |
|---|---|---|---|
| CVE-2024-9463 | 9.9 | OS Command Injection | Unauthenticated RCE as root |
| CVE-2024-9464 | 9.3 | OS Command Injection | Authenticated RCE as root |
| CVE-2024-9465 | 9.2 | SQL Injection | Database access & file read |
| CVE-2024-9466 | 8.2 | Cleartext Storage | Credential exposure in logs |
| CVE-2024-9467 | 7.0 | Reflected XSS | Session theft via phishing |
Exposed Information
These vulnerabilities collectively expose:
- Firewall usernames and passwords in cleartext
- Device API keys and credentials
- Device configurations and policies
- Password hashes and authentication data
Affected Versions
- Expedition 1 < 1.2.96
Remediation
- Upgrade Expedition to version 1.2.96 or later immediately
- Rotate all Expedition credentials
- Rotate all firewall credentials processed by Expedition
- Restrict network access to Expedition to authorized hosts only
- If not in active use, shut down Expedition immediately
Indicator of Compromise
If records are returned, this indicates potential compromise. However, absence of records does not confirm the system has not been compromised.
🚪 Backdoor Analysis and Pre-Built Access Mechanisms
Key Findings
No evidence of intentional pre-built backdoors by Palo Alto Networks has been discovered. However, multiple vulnerabilities enable attackers to install backdoors and establish persistence.
Vulnerabilities Enabling Backdoor Installation
- CVE-2024-3400: Allows arbitrary file creation and command execution for backdoor installation
- CVE-2024-9463/9464: Enable root-level command execution for backdoor placement
- CVE-2025-0108: Authentication bypass enables unauthorized access for backdoor installation
Real-World Backdoor Deployment: Operation MidnightEclipse
Palo Alto Unit42 documented Operation MidnightEclipse, where threat actors exploited CVE-2024-3400 to:
- Gain initial access to GlobalProtect gateways
- Install Python backdoors for persistence
- Establish command and control infrastructure
- Perform lateral movement within networks
Common Backdoor Installation Methods
- Creating malicious cron jobs for persistent execution
- Installing web shells in accessible directories
- Modifying system binaries and scripts
- Creating reverse shell connections for remote access
✅ Penetration Testing Checklist
Phase 1: Reconnaissance
- Identify Palo Alto devices via network scanning (port 443, 8080, 8443)
- Determine PAN-OS version through banner grabbing
- Identify GlobalProtect portals and gateways
- Locate Expedition instances if present
- Check for exposed management interfaces
- Identify User-ID Credential Agent on Windows systems
- Map network topology and connected systems
- Gather information about security policies and configurations
Phase 2: Vulnerability Assessment
- Test for CVE-2024-3400 (GlobalProtect command injection)
- Test for CVE-2025-0108 (Authentication bypass)
- Test for CVE-2024-8687 (GlobalProtect passcode exposure)
- Test for CVE-2025-4235 (User-ID Agent password exposure)
- Test for CVE-2024-9465 (Expedition SQL injection)
- Test for CVE-2025-0133 (Reflected XSS)
- Test for CVE-2024-5920 (Stored XSS)
- Test for authentication bypass vulnerabilities
- Check for default credentials (admin/admin)
- Test for weak password policies
Phase 3: Exploitation
- Exploit CVE-2024-3400 for RCE if vulnerable
- Attempt authentication bypass (CVE-2025-0108)
- Extract GlobalProtect passcodes (CVE-2024-8687)
- Access Expedition database via SQL injection
- Extract firewall credentials from Expedition
- Retrieve User-ID service account passwords
- Establish reverse shell connections
- Create backdoors for persistence
Phase 4: Post-Exploitation
- Use extracted credentials to access firewalls
- Modify firewall configurations
- Extract additional credentials from compromised devices
- Establish alternative access methods
- Perform lateral movement to connected systems
- Exfiltrate sensitive configurations and data
- Document findings and create proof of exploitation
🎯 Red Team Operational Tips and Recommendations
This section provides advanced, actionable intelligence for red team operators tasked with assessing Palo Alto Networks infrastructure. The focus is on practical techniques that go beyond standard vulnerability scanning to simulate a sophisticated adversary.
Reconnaissance Best Practices
Effective reconnaissance is the foundation of a successful engagement. The goal is to build a comprehensive map of the target's Palo Alto footprint without triggering early alarms.
Passive Intelligence Gathering (OSINT)
Objective: Identify public-facing GlobalProtect portals, gateways, and management interfaces using open-source intelligence before sending a single packet to the target.
- Shodan and Censys: These are invaluable for finding exposed devices. Use specific queries to narrow down results.
- DNS Enumeration: Corporate naming conventions often reveal VPN infrastructure. Look for hostnames that include `vpn`, `gp`, `globalprotect`, `portal`, `gateway`, `access`, etc.
- Certificate Transparency Logs: Search CT logs for certificates issued to subdomains related to the target's VPN infrastructure.
Active Reconnaissance
Objective: Actively probe identified targets to confirm services, fingerprint versions, and identify potential vulnerabilities. This phase carries a higher risk of detection.
- Targeted Port Scanning: Focus on common ports for PAN-OS and GlobalProtect to avoid noisy full-port scans.
- Version Fingerprinting: The PAN-OS version is often revealed in HTTP headers or specific file paths. This is critical for mapping to known CVEs.
- Visual Reconnaissance: Use tools like `eyewitness` or `aquatone` to take screenshots of web interfaces, which can quickly identify GlobalProtect portals among a large set of hosts.
Exploitation Techniques
Once a vulnerability is identified, exploitation must be precise and tailored to the target environment.
Credential-Based Attacks
- Credential Spraying: Many organizations have weak password policies. Use a small list of common passwords (e.g., `Spring2026!`, `Welcome123!`) against a large list of usernames gathered during reconnaissance. This is less likely to cause account lockouts than brute-forcing a single account.
- Exploiting Credential Exposure: For vulnerabilities like CVE-2024-8687 (Passcode Exposure), develop scripts to automate the extraction of credentials from local user systems if you have already achieved initial access on an endpoint.
Advanced Exploitation
- Blind Exploitation (Out-of-Band): For command injection vulnerabilities where you don't get direct output (blind RCE), use out-of-band channels to confirm execution.
- Timing Attacks: For some authentication bypass or SQL injection vulnerabilities, the server's response time may differ based on whether a query is true or false. This can be used to exfiltrate data one character at a time.
Persistence and Evasion
Gaining access is only the first step. A skilled red team operator establishes resilient persistence while remaining undetected.
Establishing Footholds
- Web Shells: On compromised firewalls, a simple web shell in a web-accessible directory can provide persistent command execution.
- Cron Jobs: A classic but effective technique. A cron job can periodically execute a reverse shell payload.
- Legitimate Account Creation: If you gain administrative access, create a new, seemingly legitimate administrative account with a non-obvious name to maintain access even if the initially compromised account password is changed.
Evasion Techniques
- Log Sanitization: Be meticulous. Identify the relevant logs (`pan_gp_portal.log`, `pan_gp_gateway.log`, audit logs) and remove or modify entries related to your activities. This is high-risk and can corrupt logs if done improperly.
- User-Agent Mimicry: Ensure your tools use User-Agent strings that are common within the target environment (e.g., standard browser agents, or even the GlobalProtect client's own User-Agent).
- Traffic Blending: Route your C2 traffic over common ports like 80, 443, or 53. Use domain fronting if possible to make your traffic appear to be communicating with a legitimate, high-reputation domain.
Lateral Movement
A compromised firewall is the perfect pivot point into the internal network.
Pivoting and Tunneling
- Using Firewall Credentials: Credentials for other network devices (routers, switches, other firewalls) are often stored in the firewall's configuration backups. Exfiltrate and parse these configs.
- Proxying Traffic: Use tools like `proxychains` or `socat` on the compromised firewall to tunnel your traffic into the internal network.
- Exploiting Trust Relationships: The firewall often has privileged access to other security tools (e.g., SIEM, NAC, RADIUS servers). Use the firewall's position to attack these adjacent systems.
Data Exfiltration
The ultimate goal is often to exfiltrate sensitive data. This must be done stealthily.
- DNS Tunneling: Exfiltrate data through DNS queries. This is slow but often goes undetected as DNS traffic is frequently unfiltered. Tools like `dnscat2` are designed for this.
- ICMP Tunneling: Similar to DNS tunneling, data can be hidden in the payload of ICMP echo packets.
- Hiding in Plain Sight: Exfiltrate data over common protocols like HTTPS, but embed it within seemingly normal traffic (e.g., POST requests with encoded data in form fields).
🔬 Burp Suite Proof-of-Concept Examples
This section provides practical, Burp Suite-style proof-of-concept examples for identifying and exploiting common web application vulnerabilities in Palo Alto Networks systems.
Reflected Cross-Site Scripting (XSS) - CVE-2025-0133
Objective: To demonstrate how a reflected XSS vulnerability can be exploited to execute arbitrary JavaScript in a user's browser. This PoC targets the GlobalProtect portal.
Burp Suite Repeater - Proof-of-Concept
The following HTTP request can be sent to the target using Burp Repeater to test for the vulnerability. The payload is injected into a URL parameter.
Expected Outcome
If the application is vulnerable, the response will reflect the injected JavaScript payload. When this response is rendered in a browser, a JavaScript alert box will appear, displaying the domain of the affected site. This confirms that arbitrary JavaScript can be executed.
Further Reading on XSS Exploitation
SQL Injection (SQLi) - CVE-2024-9465 (Expedition)
Objective: To demonstrate how a time-based blind SQL injection vulnerability can be exploited to confirm the vulnerability and exfiltrate data. This PoC targets the Palo Alto Expedition tool.
Burp Suite Intruder - Time-Based Blind SQLi
This attack uses Burp Intruder to send a series of requests with payloads designed to cause a time delay if the SQL query is successful. This confirms the vulnerability without needing to see the direct output of the query.
Target Request (intercepted with Burp Proxy):
Burp Intruder Configuration
- Send the target request to Burp Intruder.
- In the Positions tab, clear the default payload markers and add a marker around the `SLEEP(5)` part of the payload.
- In the Payloads tab, select the "Numbers" payload type. Configure it to generate numbers from 1 to 10 with a step of 1. This will test for time delays of 1 to 10 seconds.
- Start the attack.
Expected Outcome
In the Burp Intruder results window, observe the response times. If the response time for a given payload is approximately equal to the `SLEEP()` value (e.g., a 5-second delay for `SLEEP(5)`), this confirms the presence of a time-based blind SQL injection vulnerability.
Further Reading on SQLi Exploitation
🛡️ Mitigation and Hardening Recommendations
Immediate Actions (Priority 1)
Patch Management
- Upgrade all PAN-OS instances to latest patched versions
- Update GlobalProtect App to patched versions
- Upgrade Expedition to 1.2.96 or later
- Update User-ID Credential Agent to 11.0.3 or later
- Apply all security patches within 24-48 hours of release
Credential Rotation
- Rotate all firewall administrative credentials
- Rotate all API keys and service accounts
- Rotate Expedition credentials
- Rotate User-ID service account credentials
- Force password change for all administrative accounts
Access Control
- Restrict access to GlobalProtect portals to authorized networks
- Limit Expedition network access to authorized hosts
- Implement strong authentication for administrative access
- Enable multi-factor authentication where available
- Disable default accounts and credentials
Long-Term Hardening (Priority 2)
- Configuration Management: Encrypt sensitive data in configuration files
- Secure Credential Storage: Use hardware security modules (HSMs) for key storage
- Regular Audits: Regularly audit configuration files for exposed credentials
- Monitoring: Monitor for unauthorized access to management interfaces
- Network Segmentation: Isolate management interfaces on separate networks
- Incident Response: Develop and test incident response procedures
Detection and Monitoring
- Monitor for suspicious GlobalProtect gateway activity
- Alert on credential access attempts
- Track configuration changes to firewall policies
- Monitor for unusual administrative access patterns
- Implement centralized logging and SIEM integration
- Set up alerts for exploitation attempts
📚 References and Further Reading
- Palo Alto Networks Security Advisory. "CVE-2024-3400 PAN-OS: Arbitrary File Creation Leads to Command Injection in GlobalProtect." https://security.paloaltonetworks.com/CVE-2024-3400
- Palo Alto Networks Unit42. "Operation MidnightEclipse: Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect." https://unit42.paloaltonetworks.com/cve-2024-3400/
- Volexity. "Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)." https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
- WatchTowr Labs. "Palo Alto: Putting the Protecc in GlobalProtect (CVE-2024-3400)." https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
- Palo Alto Networks Security Advisory. "CVE-2024-8687 PAN-OS: Cleartext Exposure of GlobalProtect Portal Passcodes." https://security.paloaltonetworks.com/CVE-2024-8687
- Palo Alto Networks Security Advisory. "CVE-2025-0108 PAN-OS: Authentication Bypass in the Management Web Interface." https://security.paloaltonetworks.com/CVE-2025-0108
- Palo Alto Networks Security Advisory. "CVE-2025-4235 User-ID Credential Agent: Cleartext Exposure of Service Account password." https://security.paloaltonetworks.com/CVE-2025-4235
- Palo Alto Networks Security Advisory. "PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials." https://security.paloaltonetworks.com/PAN-SA-2024-0010
- National Vulnerability Database. "CVE-2024-9465 Detail." https://nvd.nist.gov/vuln/detail/cve-2024-9465
- Horizon3.ai. "Palo Alto Expedition: From N-Day to Full Compromise." https://horizon3.ai/attack-research/disclosures/palo-alto-expedition-from-n-day-to-full-compromise/
- CISA. "Known Exploited Vulnerabilities Catalog." https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Michelin Red Team. "Palo Alto GlobalProtect Remote Full Compromise Exploit Chain." https://blogit.michelin.io/palo-alto-globalprotect-remote-full-compromise-exploit-chain/
- GitHub. "CVE-2024-3400 Proof of Concept." https://github.com/ihebski/CVE-2024-3400
- Palo Alto Networks. "Palo Alto Networks Firewall - Web & CLI Initial Setup." https://docs.paloaltonetworks.com/pan-os/
Comments
Post a Comment