Palo Alto Networks is urging emergency patching of PAN-OS following confirmed mass exploitation of CVE-2026-3197, a critical SAML authentication bypass in the GlobalProtect SSL-VPN portal and gateway. CISA added the vulnerability to its Known Exploited Vulnerabilities catalogue on 8 April 2026, and Palo Alto’s Unit 42 team has confirmed exploitation by at least three distinct threat actor clusters — including one nation-state group assessed with high confidence as China-nexus and targeting government and critical infrastructure networks across the Asia-Pacific region.
The Vulnerability
CVE-2026-3197 affects the SAML authentication handler in PAN-OS GlobalProtect, the component used when GlobalProtect is configured to authenticate users via a SAML identity provider such as Okta, Microsoft Entra ID, or Duo Security. This is a common enterprise configuration for organisations deploying GlobalProtect as a remote access VPN.
The vulnerability is a signature verification flaw in how PAN-OS processes SAML assertions. By sending a crafted SAML response with a manipulated XML signature envelope, an unauthenticated remote attacker can cause the GlobalProtect gateway to accept a forged authentication context as valid. The gateway grants the attacker administrative access to the firewall management plane without any valid credentials or knowledge of the configured SAML identity provider.
From this administrative position, an attacker can modify firewall security policies, create persistent administrative accounts, extract configuration data including VPN credentials from connected clients, and redirect or intercept traffic transiting the device. The impact on a perimeter firewall is correspondingly high: the firewall that was protecting a network segment can be reconfigured to enable the attacker’s lateral movement.
The Command Execution Chain
CVE-2026-3197 becomes a full remote code execution vulnerability when chained with CVE-2026-3201, a post-authentication command injection flaw in the PAN-OS management interface (CVSS 8.4). Unit 42 has confirmed that the two vulnerabilities chain to produce unauthenticated root-level OS command execution: CVE-2026-3197 grants administrative access, which satisfies the authentication requirement for CVE-2026-3201, which then allows arbitrary OS command injection under the root context.
The combined exploit chain has been observed in Unit 42’s incident response engagements and proof-of-concept code has been published publicly. Defenders should treat CVE-2026-3197 as carrying an effective severity equivalent to the combined chain — unauthenticated RCE — rather than the lower impact of the authentication bypass alone.
Affected Products
CVE-2026-3197 affects PAN-OS deployments with GlobalProtect enabled and configured with SAML authentication:
- PAN-OS 11.2.x prior to 11.2.4
- PAN-OS 11.1.x prior to 11.1.5
- PAN-OS 11.0.x prior to 11.0.6
- PAN-OS 10.2.x prior to 10.2.12
- PAN-OS 10.1.x (all versions — end of life, no patch will be issued; migration required)
Deployments using local authentication or LDAP/RADIUS without SAML are not affected by CVE-2026-3197, though CVE-2026-3201 applies independently to authenticated sessions.
Exploitation Activity
Unit 42 has characterised three exploitation clusters operating concurrently. The first, designated CL-STA-0047 and attributed with high confidence to a China-nexus threat actor, has been targeting government ministries, defence contractors, and telecommunications operators across South-East Asia and Pacific island nations. This cluster’s post-exploitation methodology includes deploying a modified PAN-OS maintenance partition that persists across OS upgrades — a sophisticated technique intended to survive patching events.
The second cluster exhibits ransomware precursor behaviour consistent with the Fog ransomware group, focusing on mid-market enterprises in manufacturing, logistics, and professional services. Attackers are using the firewall compromise as a launchpad for lateral movement into adjacent network segments prior to deploying encryption tooling.
The third cluster is opportunistic: broad scanning for vulnerable GlobalProtect portals followed by credential harvesting and access brokering — selling compromised firewall access to other criminal groups.
Recommended Actions
- Patch immediately. Upgrade to PAN-OS 10.2.12, 11.0.6, 11.1.5, or 11.2.4 depending on your version. Devices running PAN-OS 10.1.x are end of life and must be migrated to a supported version before they can receive security patches.
- Disable GlobalProtect SAML authentication as a temporary mitigation if immediate patching is not feasible and SAML is not operationally critical. Switch to local authentication, LDAP, or RADIUS as a bridge control until the patch can be applied.
- Restrict access to the GlobalProtect portal. Network ACLs or Palo Alto’s built-in GP portal source IP restrictions should limit the portal to expected client geographies and known VPN client IP ranges. Filtering at the network level reduces the exposure window during remediation.
- Review GlobalProtect authentication logs for anomalous SAML assertions. In PAN-OS logs, filter for SAML authentication events where the assertion source IP does not match the configured identity provider’s known address ranges. Any such events indicate exploitation attempts or confirmed compromise.
- Audit firewall configuration changes for the past 30 days. If exploitation is suspected, review the configuration audit trail for new administrative accounts, altered security policies, new NAT rules redirecting traffic externally, or changes to SSL-VPN profiles.
- Check for CL-STA-0047 persistence mechanisms. Unit 42’s advisory includes indicators for the maintenance partition persistence technique used by this actor. Review
/opt/panlogs/mnt/usb0for unexpected entries and validate the integrity of the maintenance partition against known-good baselines. - Enrol in Palo Alto’s Threat Prevention feed to receive signature-based detection for the CVE-2026-3197/3201 exploit chain during the remediation window — this provides a detection layer even before patching is complete.