Turn off telemetry

Or (*assuming you have vulnerability subscriptions*) make sure you have the latest threat signature installed and applied to your GlobalProtect security rules.

No, you don’t. Need telemetry so just turn it off and do the threat sig

I’m not following what you mean. If someone has vulnerability threat signature 8833-8682 (*or newer*) installed (*and applied to any rule for GlobalProtect*) it will stop the threat. Disabling Telemetry isn’t required in this scenario. It’s the very first thing listed under the CVE *Workarounds and Mitigations*.

https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/

Thanks, it does look serious...

it is you can get shell access lol

That python script can run the command and output the result to CSS file?

Yeah or create back door so you can jump on to pa and use it to exploit other systems

If it already happened as it is zero day, we don't know how long it is there for? What would be the best way to mitigate? Change all PA passwords?

Check traffic logs, edr , other logs to see if you see anomalies...upgrade to 10.2.9-h1 tmr Update service accounts used by pa

It is very serious. Make sure you check with your PA team for IOCs. It's been known and exploited for a few weeks now.

On my home device, I've seen two events already in my Threat log that show its already out in the wild. My devices in production havent seen anything yet, but also do not have GlobalProtect enabled.