Security readout for executives and security teams
Plain-English summary
This flaw can let an unauthenticated attacker bypass SAML login on affected Palo Alto Networks systems when certificate validation is disabled. It can expose VPN resources or, for PAN-OS and Panorama web interfaces, allow administrator access.
Executive priority
Treat this as an immediate remediation item for any SAML-enabled Palo Alto Networks environment. The worst case is full administrative access to firewall or Panorama management, with CISA KEV status increasing urgency.
Technical view
CVE-2020-2021 is a CWE-347 signature-verification failure in PAN-OS SAML authentication. It affects PAN-OS 9.1 before 9.1.3, 9.0 before 9.0.9, 8.1 before 8.1.15, and all 8.0. PAN-OS 7.1 is not affected.
Likely exposure
Exposure is limited to deployments using SAML authentication with 'Validate Identity Provider Certificate' disabled. Relevant surfaces include GlobalProtect Portal, GlobalProtect Gateway, Clientless VPN, Captive Portal, Prisma Access, and PAN-OS or Panorama web interfaces.
Exploitation context
CISA lists CVE-2020-2021 in the Known Exploited Vulnerabilities catalog, indicating known exploitation. Palo Alto Networks' original advisory stated it was not aware of malicious exploitation at publication. Network access to the vulnerable server is required.
Researcher notes
Do not assume exposure from version alone. The exploitable condition requires SAML authentication and disabled IdP certificate validation. Impact differs by protected resource: access to VPN resources for portals/gateways, and administrative actions for PAN-OS or Panorama web interfaces.
Mitigation direction
- Upgrade PAN-OS 9.1 to 9.1.3 or later.
- Upgrade PAN-OS 9.0 to 9.0.9 or later.
- Upgrade PAN-OS 8.1 to 8.1.15 or later.
- Migrate all PAN-OS 8.0 systems from the EOL branch.
- Enable 'Validate Identity Provider Certificate' for SAML Identity Provider Server Profiles.
- Restrict management web interfaces to trusted management networks.
Validation and detection
- Inventory PAN-OS and Panorama versions across firewalls, VM-Series, and Prisma Access dependencies.
- Identify systems using SAML authentication for any protected resource.
- Check whether 'Validate Identity Provider Certificate' is enabled in SAML IdP profiles.
- Confirm GlobalProtect, Clientless VPN, Captive Portal, and admin web interfaces are patched or mitigated.
- Review access logs for suspicious SAML-authenticated sessions around exposed services.
Public sources used
Michael Williams reviewed this cited source version on .
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-347: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCredential and access behavior lookup
The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2020-2021 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Critical
- CVSS
- 10 (3.1)
- Known Exploited
- Yes
- Published
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CISA KEV status
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H3.96Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
10CriticalVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Source materials
- CVE List V5 sourceCVE List V5
- https://security.paloaltonetworks.com/CVE-2020-2021CVE reference · x_refsource_MISC
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-2021CVE reference · government-resource
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Improper Verification of Cryptographic Signature
Improper Verification of Cryptographic Signature represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
