Authentication bypass vulnerabilities in Palo Alto Networks GlobalProtect portal and gateway allow an attacker to bypass authentication requirements and establish an unauthorized VPN connection. The flaw removes the authentication barrier to the VPN, enabling the attacker to obtain a VPN session without proper credentials. The weakness corresponds to CWE-565, indicating a session management flaw.

Affected systems span Palo Alto Networks PAN‑OS firmware from versions 12.1.5 through 12.1.6, any 12.1.2 through 12.1.4‑h*, any 11.2.11 or newer, any 11.2.8 through 11.2.10‑h*, any 11.2.5 through 11.2.7‑h*, and any 11.2.0 through 11.2.4‑h*. For PAN‑OS 11.1, affected ranges include 11.1.14 or newer, any 11.1.11 through 11.1.13‑h*, any 11.1.8 through 11.1.10‑h*, any 11.1.7 through 11.1.7‑h*, any 11.1.5 through 11.1.6‑h*, and any 11.1.0 through 11.1.4‑h*. PAN‑OS 10.2 vulnerable releases are 10.2.17 through 10.2.18‑h*, 10.2.14 through 10.2.16‑h*, 10.2.11 through 10.2.13‑h*, 10.2.8 through 10.2.10‑h*, and 10.2.0 through 10.2.7‑h*, along with all earlier unsupported releases. Prisma Access 10.2 versions 10.2.0 through 10.2.10‑h* and Prisma Access 11.2 versions 11.2.0 through 11.2.7‑h* are affected. PAN‑OS Panorama and Cloud NGFW are not impacted by these issues.

The CVSS score of 7.8 indicates high severity. The EPSS score of 87% indicates a high probability of exploitation in the current threat landscape. The vulnerability is listed in the CISA KEV catalog, meaning it is known to be actively exploited. The likely attack vector is inferred to be remote, as the flaw allows an attacker to establish a VPN session without authenticating from any client that can reach the GlobalProtect portal or gateway.