#FactCheck -Old Image from Iraq Falsely Linked to Alleged Attack on Iran’s Water Treatment Plant

Executive Summary:

Recently PAN-OS software of Palo Alto Networks was discovered with the critical vulnerability CVE-2024-3400. It is the software used to power all their networks in the next generation firewalls. This  vulnerability is a common injection vulnerability which provides access to unauthenticated attackers to execute random code having root privileges on the attacked system. This  has been exploited actively by threat actors,  leaving many organizations at risk for severe cyberattacks. This report helps to understand the exploitation, detection, mitigations and recommendations for this vulnerability.

‍

‍

Understanding The CVE-2024-3400 Vulnerability:

CVE-2024-3400 impacts the particular version of PAN-OS and a certain configuration susceptible to this kind of a security issue. It is a command injection, which exists in the GlobalProtect module of the PAN-OS software. The vulnerability can be exploited by an unauthorized user to run any code on the firewall having root privileges.  This targets Active Directory database (ntds.dit), important data (DPAPI), and Windows event logs (Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx) and also login data, cookies, and local state data for Chrome and Microsoft Edge from specific targets leading attackers to capture the browser master key and steal sensitive information of the organization.

The CVE-2024-3400 has been provided with a critical severity rating of 10.0. The following two weaknesses make this CVE  highly severe:

1. CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') 
2. CWE-20: Improper Input Validation.

‍

Impacted Products:

The affected version of PAN-OS by CVE-2024-3400 are-

Only the versions 10.2, 11.0, and 11.1, setup with GlobalProtect Gateway or GlobalProtect Portal are exploited by this vulnerability. Whereas the Cloud NGFW, Panorama appliances and Prisma Access are not affected.

Detecting Potential Exploitation: 

Palo Alto Networks has confirmed that they are aware of the exploitation of this particular vulnerability by threat actors. In a recent publication they have given acknowledgement to Volexity for identifying the vulnerability.  There is an increasing number of organizations that face severe and immediate risk by this exploitation. Third parties also have released the proof of concept for the vulnerability.

The suggestions were provided by Palo Alto Networks to detect this critical vulnerability. To detect this vulnerability, the following command shall be run on the command-line interface of PAN-OS device: 

grep pattern "failed to unmarshal session(.\+.\/" mp-log gpsvc.log*

This command looks through device logs for specific entries related to vulnerability. 

These log entries should contain a long, random-looking code called a GUID (Globally Unique Identifier) between the words "session(" and ")". If an attacker has tried to exploit the vulnerability, this section might contain a file path or malicious code instead of a GUID.

Presence of such entries in your logs, could be a sign of a potential attack to hack  your device which may look like:

• failed to unmarshal session(../../some/path)

A normal, harmless log entry would look like this:

• failed to unmarshal session(01234567-89ab-cdef-1234-567890abcdef)

Further investigations and actions shall be needed to secure the system in case the GUID entries were not found and suspicious.

Mitigation and Recommendations:

Mitigation of the risks posed by the critical CVE-2024-3400 vulnerability, can be accomplished by the following recommended steps:

• Immediately update Software:   This vulnerability is fixed in software releases namely PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and all higher versions. Updating software to these versions will protect your systems fully against potential exploitation.
• Leverage Hotfixes: Palo Alto Networks has released hotfixes for commonly deployed maintenance releases of PAN-OS 10.2, 11.0, and 11.1 for the users who cannot upgrade to the latest versions immediately. These hotfixes do provide a temporary solution while you prepare for the full upgrade.
• Enable Threat Prevention:  Incase of available Threat Prevention subscription, enable Threat IDs 95187, 95189, and 95191 to block attacks targeting the CVE-2024-3400 vulnerability. These Threat IDs are available in Applications and Threats content version 8836-8695 and later.
• Apply Vulnerability Protection: Ensure that vulnerability protection has been applied in the GlobalProtect interface to prevent the exploitation on the device. It can be implemented using these instructions. 
• Monitor Advisory Updates: Regularly checking for  the updates to the official advisory of Palo Alto Networks. This helps to stay up to date of the new releases of the guidance and threat prevention IDs of CVE-2024-3400.
• Disable Device Telemetry – Optional:  It is suggested to disable the device telemetry as an additional  precautionary measure.
• Remediation: If there is an active exploitation observed, follow the steps mentioned in this Knowledge Base article by Palo Alto Networks. 

Implementation of the above mitigation measures and recommendations would be in a position to greatly reduce the risk of exploitation you might face from a cyber attack targeting the CVE-2024-3400 vulnerability in Palo Alto Networks' PAN-OS software.

Conclusion: 

The immediate response should be taken against the offensive use of the critical CVE-2024-3400 vulnerability found in the PAN-OS platform of Palo Alto Networks.  Organizations should actively respond by implementing the suggested mitigation measures such as upgrading to the patched versions, enabling threat prevention and applying vulnerability protection to immediately protect from this vulnerability. Regular monitoring, implementing security defense mechanisms and security audits are the necessary measures that help to combat emerging threats and save critical resources.

‍

Executive Summary
‍

A video showing a massive gathering of people dressed in black is widely circulating on social media. The clip is being shared with the claim that it shows crowds mourning the funeral of Iran’s Supreme Leader Ayatollah Ali Khamenei following his alleged killing in February 2026 However, research by the CyberPeace found that the claim is misleading and the video is unrelated to Iran.

‍

Claim:

‍

The viral video shows a large crowd gathered in a public square, with a mosque featuring a golden dome visible in the background. Social media posts claim that the footage captures mourners attending Ayatollah Khamenei’s funeral after his reported death in a joint US-Israel operation.
‍

• https://www.facebook.com/reel/25853039284304550 
• https://perma.cc/PHB8-DUPL 

‍

‍

Fact Check:

‍

To verify the claim, we extracted keyframes from the video and conducted a reverse image search. This led us to a similar clip uploaded on January 15 by an Iraqi broadcaster, Karbala TV, on Facebook. In the footage, a large crowd can be seen carrying a symbolic coffin near a shrine with a golden dome—matching the visuals seen in the viral video. According to the Arabic caption, the video shows a “symbolic funeral” procession held at the Kazimayn Shrine in Baghdad, Iraq. The event is part of an annual religious observance commemorating Imam Musa al-Kazim, the seventh Imam in Shia Islam, who is believed to have died after being poisoned in the 8th century.

Every year, large numbers of Shia devotees gather at the shrine in Baghdad to pay their respects during this commemoration. The visuals seen in the viral clip are consistent with this annual gathering.
‍

• https://www.facebook.com/reel/4350956585190139 

‍

‍

Conclusion:
‍

The claim that the video shows crowds at Ayatollah Khamenei’s funeral is false. The footage is unrelated and actually depicts a religious gathering in Baghdad, Iraq, held as part of an annual Shia ritual.

‍

Executive Summary

‍
During the Gau Raksha Yatra of Shankaracharya Swami Avimukteshwaranand Saraswati, bees reportedly attacked a discourse event in Rohania area of Varanasi, Uttar Pradesh. Following the incident, a picture has gone viral on social media showing bees attacking Swami Avimukteshwaranand Saraswati. Several users are sharing the image as genuine while targeting the Shankaracharya online. CyberPeace Research Wing  investigated the viral image and found it to be fake. Our research revealed that the picture was created using Artificial Intelligence (AI). While it is true that a bee attack occurred during Swami Avimukteshwaranand Saraswati’s discourse program, the viral image itself is fabricated.

‍

Claim

‍

A Facebook user named “Sanjay Chaudhary” shared the viral image on May 15, 2026, with the caption: “Prakritik kop ka bhajan bana Shukracharya Umashankar alias Avimukteshwaranand… This Kaalnemi was delivering false sermons in Rohania, Varanasi in the name of religion… The bees from a nearby hive did not like it and collectively attacked, creating chaos. Even insects and nature no longer like the opposition’s politics disguised as Sanatan Dharma. Calling Yogi Ji Aurangzeb, Akbar and butcher is not acceptable even to nature and insects.”

‍

Post link and archive link are given below:

• https://www.facebook.com/sanjaychaudhary073/posts/pfbid02kgts8igKDwgctz3MamECMGoGfQR5aWPTdsDgLeux3pD9jwP7ADfgNpoPfHvMb9Zul 
• https://perma.cc/E6SE-BAXZ 

‍

‍

Fact-Check

‍

To verify the viral claim, we used Google Open Search tools and found reports related to the incident on the YouTube channel of News18 UP Uttarakhand. A report published on May 13, 2026 stated that bees attacked the discourse event during Swami Avimukteshwaranand’s Gau Raksha Yatra in Rohania, Varanasi. The incident created panic at the venue, forcing the Swami to end his discourse midway. The channel also uploaded a YouTube Shorts video related to the incident.

• https://www.youtube.com/watch?v=M_gXhvZUbOE 

‍

‍

As part of the research, we further analyzed the viral image using AI detection tools. First, we used the tool “Sight Engine,” which indicated an 88 percent probability that the image was AI-generated.

‍

‍

We then examined the image using another AI detection tool called “Undetectable,” which also suggested that the photo was likely created using AI.

‍

‍

Conclusion

‍

Our research found that the viral image is AI-generated. The picture was created using artificial intelligence tools. While bees did attack during Swami Avimukteshwaranand Saraswati’s Gau Raksha Yatra on May 13, 2026, the viral image circulating on social media is fictional and not real.

‍