Home / Threat Intelligence bulletins / Remote Code Execution Zero-Day Reported in PAN-OS 8.1 VPN Portal


Researchers have published an advisory of a memory corruption vulnerability (CVE-2021-3064) in Palo Alto Networks GlobalProtect portal.

The bug has been fixed since PAN-OS version 8.1.17 but info about CVE-2021-3064 was not released until recently.

Shodan shows tens of thousands of devices currently vulnerable.


A remote, unauthenticated attacker would be able to execute code on a vulnerable device and from there, gain access to the rest of the network.

Vulnerability Detection

Check the running version of PAN-OS.

Affected Products

PAN-OS 8.1 versions earlier than 8.1.17

Containment, Mitigations & Remediations

PAN Threat Prevention Signatures (IDs 91820 and 91855) can be used to block the traffic.

Indicators of Compromise

None listed.

Threat Landscape

VPNs are attractive targets for threat actors because they act as a front door to the rest of the network.

There are no reports of exploitation and no proof-of-concept code has been released yet, but the researchers note that this is likely to be released soon.

Mitre Methodologies

T1190 – Exploit Public-Facing Application

Further Information

Zero-Day Disclosure: Palo Alto Networks GlobalProtect VPN CVE-2021-3064