Palo Alto GlobalProtect Vulnerability Advisory | July 2022

Threat actors are actively exploiting a critical vulnerability in Palo Alto devices. Here's what you need to know.


Corvus Threat Intel has observed ransomware groups actively exploiting an old critical Palo Alto device vulnerability, CVE-2020-2021. The vulnerability allows a threat actor to bypass authentication to access the network. Corvus recommends mitigation steps be performed on affected devices as soon as possible to prevent possible ransomware attacks.

Quick facts: what you need to know

  • The vulnerability affects certain versions of PAN-OS
  • An attacker can bypass authentication and gain access to the network under a certain configuration, specifically when Security Assertion Markup Language (SAML) authentication is enabled and the “Validate Identity Provider Certificate” option is disabled (unchecked). 
  • Palo Alto devices and services that may be vulnerable include:
    • GlobalProtect Gateway,
    • GlobalProtect Portal,
    • GlobalProtect Clientless VPN,
    • Authentication and Captive Portal,
    • PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces,
    • Prisma Access

Next Steps for all Palo Alto users: 

  1. Mitigation Steps
    1. Update immediately to PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and later versions of PAN-OS, following vendor recommendations
      1. Configure signing certificate for your SAML Identity Provider as “Identity Provider Certificate” before you upgrade to a fixed version. This will prevent user lockouts and ensure they can continue to authenticate successfully. (
      2. Review actions required before and after upgrading PAN-OS here 
  2. Workarounds

Upgrading to a fixed version of PAN-OS software prevents any future configuration changes related to SAML that inadvertently expose protected services to attacks. However, until an upgrade can be performed, applying the steps below eliminates the configuration required for exposure to this vulnerability:

    1. Ensure that the “Identity Provider Certificate” is configured. Configuring the “Identity Provider Certificate” is an essential part of a secure SAML authentication configuration.
    2. If the identity provider (IdP) certificate is a certificate authority (CA) signed certificate, then 
      1. Ensure that the “Validate Identity Provider Certificate” option is enabled in the SAML Identity Provider Server Profile. Many popular IdPs generate self-signed IdP certificates by default and the “Validate Identity Provider Certificate” option cannot be enabled.
      2. Additional steps may be required to use a certificate signed by a CA. This certificate can be signed by an internal enterprise CA, the CA on the PAN-OS, or a public CA. Instructions to configure a CA-issued certificate on IdPs are available here.