GlobalProtect is a primary perimeter control for organizations using Palo Alto Networks VPN infrastructure; a successful bypass grants an attacker the same network access as an authorized employee without requiring stolen credentials. If exploited, an unauthorized actor could access internal systems, move laterally, and exfiltrate data, with potential consequences including operational disruption, regulatory notification obligations under GDPR, HIPAA, or equivalent frameworks if sensitive data is accessed, and reputational harm from a perimeter control failure. The medium CVSS score and absence of active exploitation reduce urgency relative to a critical zero-day, but the wide version footprint across multiple PAN-OS major releases means most organizations running GlobalProtect should treat this as a prioritized patch cycle item.
You Are Affected If
You run PAN-OS 10.2, 11.1, 11.2, or 12.1 with GlobalProtect portal or gateway components enabled
You run Prisma Access 10.2 or 11.2
Authentication override cookies are enabled on the GlobalProtect portal or gateway
A non-default certificate configuration is present on the affected GlobalProtect component
The GlobalProtect portal or gateway is accessible from the internet without upstream WAF or IPS filtering
Board Talking Points
A medium-severity flaw in our VPN gateway software could allow an outsider to connect to the corporate network without a password under a specific configuration.
The security team should verify whether our environment matches the vulnerable configuration and apply the vendor patch within the current patch cycle, targeting remediation within 30 days given no active exploitation.
If left unpatched and if our configuration is affected, an attacker who discovers this could gain the same network access as a legitimate employee, bypassing our primary remote-access control.
HIPAA — GlobalProtect VPN is commonly the access control boundary for systems processing electronic protected health information; an authentication bypass could constitute unauthorized access requiring breach analysis under 45 CFR §164.402
GDPR — Unauthorized VPN access enabling exposure of EU personal data may trigger 72-hour breach notification obligations under Article 33
