CVE-2020-2021 — Palo Alto Networks PAN-OS Authentication Bypass Vulnerability

CVE-2020-2021

Palo Alto PAN-OS — SAML Authentication Bypass, CVSS 10.0 Perfect Score

What is Palo Alto Networks PAN-OS?

Palo Alto Networks PAN-OS is the operating system powering Palo Alto's next-generation firewalls and Prisma Access cloud-delivered security service. PAN-OS firewalls are among the most widely deployed enterprise network security devices globally, serving as the security perimeter for government agencies, defense contractors, financial institutions, and critical infrastructure operators. The GlobalProtect VPN feature — through which users remotely access corporate networks — is one of the highest-value attack surfaces on these devices, as it is intentionally exposed to the internet for all remote employees.

Overview

CVE-2020-2021 is a SAML authentication bypass vulnerability (CWE-347) in PAN-OS that carries a perfect CVSS 10.0 score — the highest possible rating. When SAML single sign-on is configured as the authentication method and the "Validate Identity Provider Certificate" option is disabled, an attacker can forge a SAML assertion and authenticate without valid credentials. Successful exploitation grants unauthenticated access to GlobalProtect VPN, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication Portal (Captive Portal), and Prisma Access.

NSA publicly warned within two days of disclosure that Chinese state-sponsored actors were already exploiting the vulnerability.

Affected Versions

PAN-OS Version Vulnerable Fixed
9.1.x < 9.1.3 9.1.3+
9.0.x < 9.0.9 9.0.9+
8.1.x < 8.1.15 8.1.15+
8.0.x < 8.0.20 8.0.20

Exploitation requires SAML authentication to be configured and the "Validate Identity Provider Certificate" checkbox to be unchecked (a common misconfiguration when SAML IdP certificates are self-signed).

Technical Details

SAML (Security Assertion Markup Language) is a federated authentication protocol where an Identity Provider (IdP, such as Okta or Azure AD) issues signed XML assertions that service providers (like PAN-OS) accept as proof of identity. PAN-OS validates these assertions using the IdP's public certificate.

When "Validate Identity Provider Certificate" is disabled, PAN-OS skips cryptographic verification of the SAML assertion's signature. An attacker can craft a SAML response claiming to be any user — including an administrator — and PAN-OS accepts it as legitimate. No access to the IdP, no valid certificate, no knowledge of credentials is needed.

The CVSS scope is "Changed" (S:C) because successful exploitation of the VPN gateway gives the attacker access to the internal network beyond the PAN-OS device itself.

Discovery

The vulnerability was identified and patched by Palo Alto Networks in June 2020 as part of a security audit of SAML handling. The NSA's near-immediate advisory on July 1 specifically named Chinese state-sponsored actors (likely APT41 / BARIUM), warning that these groups were exploiting the flaw against U.S. government and defense industrial base targets.

Exploitation Context

Exploitation began within days of public disclosure. Confirmed threat actor exploitation includes:

  • Chinese state-sponsored APT (APT41/BARIUM): NSA advisory issued July 1, 2020 specifically warning of active exploitation targeting U.S. defense, energy, healthcare, and government networks
  • Ransomware operators: Ransomware groups incorporated CVE-2020-2021 into initial access toolkits, reflected in CISA's ransomwareUse: true classification
  • CISA added it to KEV in March 2022 alongside a batch of VPN vulnerabilities exploited in ransomware and state-sponsored campaigns

The misconfiguration prerequisite (disabled certificate validation) was more common than expected — many organizations had disabled this option during initial SAML configuration without understanding the security implication.

Remediation

  1. Patch immediately: Upgrade to PAN-OS 9.1.3+, 9.0.9+, 8.1.15+, or 8.0.20.
  2. Enable IdP Certificate Validation: Even on patched versions, verify "Validate Identity Provider Certificate" is enabled in all SAML authentication profiles (Device → Authentication Profile → SAML IdP settings). This closes the misconfiguration that makes exploitation possible.
  3. Audit SAML configuration: Review all SAML authentication profiles; regenerate or re-import IdP certificates if there is any question about certificate validity.
  4. Review VPN access logs: Check GlobalProtect and Authentication Portal logs for suspicious authentication events — particularly logins with no corresponding activity in the IdP's own logs, or from unusual source IPs.
  5. MFA enforcement: Enable multi-factor authentication for all VPN users as an independent layer of defense against authentication bypass vulnerabilities.

Key Details

PropertyValue
CVE ID CVE-2020-2021
Vendor / Product Palo Alto Networks — PAN-OS
NVD Published2020-06-29
NVD Last Modified2025-11-04
CVSS 3.1 Score10
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-347 find similar ↗
CISA KEV Added2022-03-25
CISA KEV Deadline2022-04-15
Known Ransomware Use ⚠️ Yes

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-04-15. Apply updates per vendor instructions.

Timeline

DateEvent
2020-06-29Palo Alto Networks patches CVE-2020-2021 and publishes advisory
2020-07-01NSA issues advisory warning Chinese state actors are exploiting the flaw
2022-03-25Added to CISA Known Exploited Vulnerabilities catalog
2022-04-15CISA BOD 22-01 remediation deadline

References

ResourceType
Palo Alto Networks Security Advisory CVE-2020-2021 Vendor Advisory
NVD — CVE-2020-2021 Vulnerability Database
CISA KEV Catalog Entry US Government