LiveActive security incident?Get immediate response
CVE Record

CVE-2020-2021: PAN-OS: Authentication Bypass in SAML Authentication

When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability. This issue affects PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). This issue does not affect PAN-OS 7.1. This issue cannot be exploited if SAML is not used for authentication. This issue cannot be exploited if the 'Validate Identity Provider Certificate' option is enabled (checked) in the SAML Identity Provider Server Profile. Resources that can be protected by SAML-based single sign-on (SSO) authentication are: GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, Prisma Access In the case of GlobalProtect Gateways, GlobalProtect Portal, Clientless VPN, Captive Portal, and Prisma Access, an unauthenticated attacker with network access to the affected servers can gain access to protected resources if allowed by configured authentication and Security policies. There is no impact on the integrity and availability of the gateway, portal or VPN server. An attacker cannot inspect or tamper with sessions of regular users. In the worst case, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). In the case of PAN-OS and Panorama web interfaces, this issue allows an unauthenticated attacker with network access to the PAN-OS or Panorama web interfaces to log in as an administrator and perform administrative actions. In the worst-case scenario, this is a critical severity vulnerability with a CVSS Base Score of 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). If the web interfaces are only accessible to a restricted management network, then the issue is lowered to a CVSS Base Score of 9.6 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.

CriticalCVSS 10Known exploitedUpdated
Glexia's TakeHuman reviewedcritical

Security readout for executives and security teams

Plain-English summary

This flaw can let an unauthenticated attacker bypass SAML login on affected Palo Alto Networks systems when certificate validation is disabled. It can expose VPN resources or, for PAN-OS and Panorama web interfaces, allow administrator access.

Executive priority

Treat this as an immediate remediation item for any SAML-enabled Palo Alto Networks environment. The worst case is full administrative access to firewall or Panorama management, with CISA KEV status increasing urgency.

Technical view

CVE-2020-2021 is a CWE-347 signature-verification failure in PAN-OS SAML authentication. It affects PAN-OS 9.1 before 9.1.3, 9.0 before 9.0.9, 8.1 before 8.1.15, and all 8.0. PAN-OS 7.1 is not affected.

Likely exposure

Exposure is limited to deployments using SAML authentication with 'Validate Identity Provider Certificate' disabled. Relevant surfaces include GlobalProtect Portal, GlobalProtect Gateway, Clientless VPN, Captive Portal, Prisma Access, and PAN-OS or Panorama web interfaces.

Exploitation context

CISA lists CVE-2020-2021 in the Known Exploited Vulnerabilities catalog, indicating known exploitation. Palo Alto Networks' original advisory stated it was not aware of malicious exploitation at publication. Network access to the vulnerable server is required.

Researcher notes

Do not assume exposure from version alone. The exploitable condition requires SAML authentication and disabled IdP certificate validation. Impact differs by protected resource: access to VPN resources for portals/gateways, and administrative actions for PAN-OS or Panorama web interfaces.

Mitigation direction

  • Upgrade PAN-OS 9.1 to 9.1.3 or later.
  • Upgrade PAN-OS 9.0 to 9.0.9 or later.
  • Upgrade PAN-OS 8.1 to 8.1.15 or later.
  • Migrate all PAN-OS 8.0 systems from the EOL branch.
  • Enable 'Validate Identity Provider Certificate' for SAML Identity Provider Server Profiles.
  • Restrict management web interfaces to trusted management networks.

Validation and detection

  • Inventory PAN-OS and Panorama versions across firewalls, VM-Series, and Prisma Access dependencies.
  • Identify systems using SAML authentication for any protected resource.
  • Check whether 'Validate Identity Provider Certificate' is enabled in SAML IdP profiles.
  • Confirm GlobalProtect, Clientless VPN, Captive Portal, and admin web interfaces are patched or mitigated.
  • Review access logs for suspicious SAML-authenticated sessions around exposed services.
Prepared
Reviewed
Confidence
high
Sources
4

Michael Williams reviewed this cited source version on .

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-347: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Credential and access behavior lookup

The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2020-2021 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
10 (3.1)
Known Exploited
Yes
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
3Source links

CISA KEV status

Status
Known exploited
Source
CISA / ADP
Date added
Not provided

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
10CVSS 3.1CriticalCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H3.96Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

10Critical
CVSS 3.1 vector shape for CVE-2020-2021Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Palo Alto NetworksPAN-OS7.1.*, 8.0.*, 8.1, 9.0, 9.1Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-347 · source CWE mapping

Improper Verification of Cryptographic Signature

Improper Verification of Cryptographic Signature represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.