What is Palo Alto Networks PAN-OS?
Palo Alto Networks PAN-OS is the operating system powering Palo Alto's next-generation firewalls and Prisma Access cloud-delivered security service. PAN-OS firewalls are among the most widely deployed enterprise network security devices globally, serving as the security perimeter for government agencies, defense contractors, financial institutions, and critical infrastructure operators. The GlobalProtect VPN feature — through which users remotely access corporate networks — is one of the highest-value attack surfaces on these devices, as it is intentionally exposed to the internet for all remote employees.
Overview
CVE-2020-2021 is a SAML authentication bypass vulnerability (CWE-347) in PAN-OS that carries a perfect CVSS 10.0 score — the highest possible rating. When SAML single sign-on is configured as the authentication method and the "Validate Identity Provider Certificate" option is disabled, an attacker can forge a SAML assertion and authenticate without valid credentials. Successful exploitation grants unauthenticated access to GlobalProtect VPN, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication Portal (Captive Portal), and Prisma Access.
NSA publicly warned within two days of disclosure that Chinese state-sponsored actors were already exploiting the vulnerability.
Affected Versions
| PAN-OS Version | Vulnerable | Fixed |
|---|---|---|
| 9.1.x | < 9.1.3 | 9.1.3+ |
| 9.0.x | < 9.0.9 | 9.0.9+ |
| 8.1.x | < 8.1.15 | 8.1.15+ |
| 8.0.x | < 8.0.20 | 8.0.20 |
Exploitation requires SAML authentication to be configured and the "Validate Identity Provider Certificate" checkbox to be unchecked (a common misconfiguration when SAML IdP certificates are self-signed).
Technical Details
SAML (Security Assertion Markup Language) is a federated authentication protocol where an Identity Provider (IdP, such as Okta or Azure AD) issues signed XML assertions that service providers (like PAN-OS) accept as proof of identity. PAN-OS validates these assertions using the IdP's public certificate.
When "Validate Identity Provider Certificate" is disabled, PAN-OS skips cryptographic verification of the SAML assertion's signature. An attacker can craft a SAML response claiming to be any user — including an administrator — and PAN-OS accepts it as legitimate. No access to the IdP, no valid certificate, no knowledge of credentials is needed.
The CVSS scope is "Changed" (S:C) because successful exploitation of the VPN gateway gives the attacker access to the internal network beyond the PAN-OS device itself.
Discovery
The vulnerability was identified and patched by Palo Alto Networks in June 2020 as part of a security audit of SAML handling. The NSA's near-immediate advisory on July 1 specifically named Chinese state-sponsored actors (likely APT41 / BARIUM), warning that these groups were exploiting the flaw against U.S. government and defense industrial base targets.
Exploitation Context
Exploitation began within days of public disclosure. Confirmed threat actor exploitation includes:
- Chinese state-sponsored APT (APT41/BARIUM): NSA advisory issued July 1, 2020 specifically warning of active exploitation targeting U.S. defense, energy, healthcare, and government networks
- Ransomware operators: Ransomware groups incorporated CVE-2020-2021 into initial access toolkits, reflected in CISA's
ransomwareUse: trueclassification - CISA added it to KEV in March 2022 alongside a batch of VPN vulnerabilities exploited in ransomware and state-sponsored campaigns
The misconfiguration prerequisite (disabled certificate validation) was more common than expected — many organizations had disabled this option during initial SAML configuration without understanding the security implication.
Remediation
- Patch immediately: Upgrade to PAN-OS 9.1.3+, 9.0.9+, 8.1.15+, or 8.0.20.
- Enable IdP Certificate Validation: Even on patched versions, verify "Validate Identity Provider Certificate" is enabled in all SAML authentication profiles (Device → Authentication Profile → SAML IdP settings). This closes the misconfiguration that makes exploitation possible.
- Audit SAML configuration: Review all SAML authentication profiles; regenerate or re-import IdP certificates if there is any question about certificate validity.
- Review VPN access logs: Check GlobalProtect and Authentication Portal logs for suspicious authentication events — particularly logins with no corresponding activity in the IdP's own logs, or from unusual source IPs.
- MFA enforcement: Enable multi-factor authentication for all VPN users as an independent layer of defense against authentication bypass vulnerabilities.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2020-2021 |
| Vendor / Product | Palo Alto Networks — PAN-OS |
| NVD Published | 2020-06-29 |
| NVD Last Modified | 2025-11-04 |
| CVSS 3.1 Score | 10 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-347 find similar ↗ |
| CISA KEV Added | 2022-03-25 |
| CISA KEV Deadline | 2022-04-15 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2020-06-29 | Palo Alto Networks patches CVE-2020-2021 and publishes advisory |
| 2020-07-01 | NSA issues advisory warning Chinese state actors are exploiting the flaw |
| 2022-03-25 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-04-15 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Palo Alto Networks Security Advisory CVE-2020-2021 | Vendor Advisory |
| NVD — CVE-2020-2021 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |