Zero-Day in Palo Alto GlobalProtect VPN Exposed Over 70,000 Devices
Cybersecurity firm Randori has uncovered a severe vulnerability in Palo Alto Networks firewalls using the GlobalProtect Portal VPN. The issue — tracked as CVE-2021-3064 — allows unauthenticated remote code execution on affected systems and received a critical severity rating of 9.8.
The flaw affects multiple versions of PAN-OS 8.1 prior to 8.1.17. Randori reported finding more than 70,000 vulnerable, internet-facing instances, including deployments at Fortune 500 companies and global enterprises.
Palo Alto Networks released a patch after being informed of the issue in September.
“Once an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally. Randori believes the best way to identify potential points of attack is to assess the attack surface.”
Remote Exploitation via HTTP Smuggling and Buffer Overflow
According to Randori, the vulnerability chain involves two key components: bypassing validation via HTTP smuggling and a stack-based buffer overflow. Combined, these flaws enable attackers to execute code remotely on both physical and virtual firewall appliances.
“VPN devices are attractive targets for malicious actors, and exploitation of PA-VM virtual devices, in particular, is made easier due to their lack of Address Space Layout Randomization (ASLR).”
While exploiting the flaw is more complex on physical devices due to ASLR protections, Randori warns that VM-based Palo Alto devices lack those defenses, making them significantly easier targets. The exploit grants attackers root access, enabling them to extract credentials, modify configurations, and move laterally across networks.
Discovery Timeline and Ethical Disclosure
Randori began researching the vulnerability in October 2020 and discovered CVE-2021-3064 the following month. They successfully exploited the vulnerability against a live customer — over the internet — during authorized testing.
“We have found the overall security posture of the affected devices to be on par with other vendors in the space. However, exploitation is possible, and valuable, especially on the black market.”
Mitigation and Next Steps for Organizations
To protect systems, organizations should apply the official PAN-OS patch and enable Threat Prevention signatures 91820 and 91855, which Palo Alto Networks released to help block active exploitation attempts.
Randori also advises that if VPN functionality is not required, it should be disabled entirely on exposed firewalls.
“This is a prime example of how ethical zero-day research can help defend enterprises against nation-state-level threats.”
Related articles
Hosting & VPN Best Cloud Hosting for AI Projects: GPU, Cost, Limits
Hosting & VPN AI Transforms Web Hosting: Predictive Uptime, Smarter Security, and Leaner Servers
Science Gene Editing Lowers LDL and Triglycerides in First-in-Human Trial
Cybersecurity Oracle E-Business Suite Hack Wave: Washington Post Confirms Data Breach
AI news OpenAI Signs 7-Year, $38B AWS Deal to Scale Next-Gen AI
Crypto