US Cyber Command Warns About Imminent PAN-OS Bug Exploit Wave

  • A freshly discovered and patched critical vulnerability threatens corporate networks with catastrophic attacks.
  • An actor could potentially access protected information on the unpatched systems without having to authenticate.
  • System administrators have to apply the available patches or change the configuration as soon as possible.

US Cyber Command is warning the public about “CVE-2020-2021” and urges system admins to patch immediately. As the agency characteristically wrote on Twitter, foreign APTs will likely attempt to exploit this critical vulnerability very soon, so updating the below products made by Palo Alto Networks is non-negotiable at this point.

  • GlobalProtect Gateway
  • GlobalProtect Portal
  • GlobalProtect Clientless VPN
  • Authentication and Captive Portal
  • PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces
  • Prisma Access systems

This vulnerability involves authentication bypass in SAML (Security Assertion Markup Language), potentially enabling an attacker to access protected resources without requiring any user interaction. Due to the low level of complexity involved in exploiting the bug, experts in the field fear that an attack wave targeting unpatched systems is bound to rise in the next couple of weeks or even days. To get an idea of which products are vulnerable and which versions are safe to use, check out the following table.


If updating is impossible for any reason, you should disable the “SAML Authentication” from being a valid authentication method. You can do this through Device/Panorama → Server Profiles → SAML Identity Provider. If you have the capacity to apply the update instead, just make sure that the signing certificate for the SAML Identity Provider is properly configured. Otherwise, you may end up barring your users out too.

Deciding to take no action now would be the worst possible approach, and you should bear in mind that figuring out which logins or user sessions were valid and which ones were malicious will be quite hard by looking into the system logs later on. While there’s no evidence that the flaw is already being under active exploitation right now, you should still check all logs for signs of trouble like unusual usernames or source IP addresses.

Actors love VPN flaws, and they have shown their inclination to targeting corporate systems through these entry points numerous times in the recent past. That said, there’s no margin for delays in applying the available patches. Even with the US Cyber Command office issuing warnings and the media reproducing the urgent message, some systems will remain unpatched, as always, and actors will get to enjoy a 10/10 CVSSv3 way in these systems. Hopefully, the certain configuration needed for the exploit to work won’t be commonplace, so the impact will be kept at a minimum.


Recent Articles

What is Zero Trust Network Access (ZTNA) and Why Does it Matter?

Security is not something that's simply tacked on to an existing system. It's a fundamental aspect of that system's design. This is especially true...

How to Watch ‘CMA Best of Fest’ Live Online

We may not be able to attend concerts right now, but we can still enjoy some of our favorite music, especially when it comes...

5 Best VPN for Hong Kong in 2020 (Protect Yourself From The New National Security Law)

Without any doubt, Internet users in Hong Kong are in a very delicate situation right now. As you surely know, this previously independent territory...

How to Watch Quaker State 400 Online – Live Stream NASCAR Cup Series at Kentucky

We've got another NASCAR race on our hands, and the Quaker State 400 is just around the corner. We plan on watching the Quaker...

Seattle Police Booby-Trapped a File to Catch Ransomware Actor

An interesting method used by U.S. law enforcement authorities has been revealed. The FBI and the police use booby-trapped files that are...