Palo Alto Networks Security Advisories / CVE-2020-2034

CVE-2020-2034 PAN-OS: OS command injection vulnerability in GlobalProtect portal

Severity 8.1 · HIGH
Attack Vector NETWORK
Attack Complexity HIGH
Confidentiality Impact HIGH
Privileges Required NONE
Integrity Impact HIGH
User Interaction NONE
Availability Impact HIGH


An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network-based attacker to execute arbitrary OS commands with root privileges. An attacker would require some level of specific information about the configuration of an impacted firewall or perform brute-force attacks to exploit this issue. This issue cannot be exploited if the GlobalProtect portal feature is not enabled.

This issue impacts PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; all versions of PAN-OS 8.0 and PAN-OS 7.1.

Prisma Access services are not impacted by this vulnerability. Firewalls that were upgraded to the latest versions of PAN-OS to resolve CVE-2020-2021 are not vulnerable to this issue.

Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.

Product Status

PAN-OS 9.1< 9.1.3>= 9.1.3
PAN-OS 9.0< 9.0.9>= 9.0.9
PAN-OS 8.1< 8.1.15>= 8.1.15
PAN-OS 8.08.0.*
PAN-OS 7.17.1.*

Required Configuration for Exposure

This issue is applicable only where GlobalProtect portal is enabled.


CVSSv3.1 Base Score:8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Exploitation Status

Palo Alto Networks is not aware of any malicious attempts to exploit this vulnerability.

Weakness Type

CWE-78 OS Command Injection


This issue is fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later PAN-OS versions.

PAN-OS 7.1 and PAN-OS 8.0 are end-of-life (as of June 30, 2020 and October 31, 2019 respectively) and are no longer covered by our Product Security Assurance policies.

Workarounds and Mitigations

Until PAN-OS software is upgraded to a fixed version, enabling signatures for Unique Threat ID 58658 on traffic destined for the GlobalProtect portal will block attacks against CVE-2020-2034.


This issue was found by Yamata Li of Palo Alto Networks during internal security review.


Updated workaround section with Threat Prevention signature.
Initial publication
© 2023 Palo Alto Networks, Inc. All rights reserved.