An unmarshal reflection vulnerability in GlobalProtect feature of Palo Alto Networks PAN-OS software allows unauthenticated remote attackers to create empty arbitrary directories and files in the operating system. If device telemetry is enabled, then remote OS command injection is possible via the dt_curl python module. This module performs the vulnerability verification in three steps. The first step, does a control check using a random filename against the /images directory. Since this file shouldn't exist in the target webapp, the webserver will return a 404 HTTP code. The second step consists in using the vulnerability to try to create the file in the given location. The final step performs the first step again. If the file exists, then a 403 HTTP code is returned, proving that the file was created with the vulnerability. Any other HTTP code will be taken as the target system being not vulnerable.
CVE Link
Exploit Platform
Product Name