Palo Alto Networks GlobalProtect VPN Vulnerability Advisory | November 2021

Palo Alto Networks disclosed a new vulnerability, CVE-2021-3064, in their Firewalls with GlobalProtect VPN services. Here's what you need to know.


On November 10, 2021, Palo Alto Networks (PAN) issued a security advisory regarding a critical vulnerability, CVE-2021-3064, that affects their firewalls using the GlobalProtect Portal VPN. Threat actors can leverage the vulnerability to gain unauthorized access to the device. This affects organizations that leverage GlobalProtect for VPN services and expose the GlobalProtect interface to their users, which is a common setup. The issue impacts multiple versions of PAN-OS 8.1 earlier than PAN-OS 8.1.17. At this time, there is no evidence of active exploitation, but Corvus expects this to change as knowledge of the vulnerability becomes public. PAN released a patch for the issue. Organizations are encouraged to update to the latest version immediately.

Quick facts: what you need to know now

  • This issue impacts PAN-OS 8.1 versions earlier than PAN-OS 8.1.17.
  • Active exploitation of the attack is not yet observed but could be imminent.
  • An unauthenticated threat actor could gain access to the firewall and VPN device. This could lead to code execution, access to sensitive configuration data, extraction of credentials, and more.
  • Ransomware threat actors commonly target vulnerabilities in VPN devices to gain access to environments to then deploy ransomware throughout the environment.

Next Steps for All Palo Alto Networks GlobalProtect Customers:

  1. Verify if you are using GlobalProtect and have a GlobalProtect portal or gateway configured. 
    1. From the PAN Firewall web interface, check for entries in 'Network > GlobalProtect > Portals' and in 'Network > GlobalProtect > Gateways'
    2. Verify VPN configurations are as expected.
  2. Update to PAN-OS 8.1.17 or later.
  3. If you are not using the VPN services, disable GlobalProtect.
  4. Enable signatures for Unique Threat IDs 91820 and 91855 on traffic destined for GlobalProtect portal and gateway interfaces.
  5. Review VPN logs for suspicious login activity. If suspicious activity is identified during review:
    1. Reset all user VPN credentials and ensure MFA is enabled.
    2. Immediately notify Corvus of a potential claim via the email or hotline listed on your policy.  We will then connect you to counsel and a forensics firm to ensure your organization properly investigates, mitigates, and responds to the threat.

If you have any questions, please reach out to the Risk + Response Team at!