PAN-OS: Panorama authentication bypass vulnerability
Description
An authentication bypass vulnerability in the Panorama context switching feature allows an attacker with network access to a Panorama's management interface to gain privileged access to managed firewalls. An attacker requires some knowledge of managed firewalls to exploit this issue. This issue does not affect Panorama configured with custom certificates authentication for communication between Panorama and managed devices. This issue affects: PAN-OS 7.1 versions earlier than 7.1.26; PAN-OS 8.1 versions earlier than 8.1.12; PAN-OS 9.0 versions earlier than 9.0.6; All versions of PAN-OS 8.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authentication bypass in Panorama's context switching feature allows network attackers to gain privileged access to managed firewalls.
Vulnerability
The vulnerability resides in the Panorama context switching feature and allows an attacker with network access to a Panorama management interface to bypass authentication and gain privileged access to managed firewalls. Affected versions: PAN-OS 7.1 earlier than 7.1.26, PAN-OS 8.1 earlier than 8.1.12, PAN-OS 9.0 earlier than 9.0.6, and all versions of PAN-OS 8.0. Panorama configured with custom certificates authentication for communication between Panorama and managed devices is not affected [1].
Exploitation
An attacker must have network access to the Panorama management interface and some knowledge of managed firewalls. No authentication or user interaction is required. The attack complexity is high because the attacker needs knowledge of the target firewalls, but no credentials are needed [1].
Impact
Successful exploitation gives the attacker privileged access to managed firewalls, potentially leading to complete compromise of confidentiality, integrity, and availability of the firewalls and the networks they protect (CVSSv3.1 Base Score 9.0, Critical) [1].
Mitigation
The issue is fixed in PAN-OS 7.1.26, PAN-OS 8.1.12, and PAN-OS 9.0.6 and later versions. Upgrading Panorama to a fixed version is sufficient. PAN-OS 8.0 is end-of-life as of October 31, 2019, and no longer covered by security policies. As a workaround, enable custom certificates authentication between Panorama and managed firewalls, and follow best practices for securing the PAN-OS management interface [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: PAN-OS versions before 7.1.26, 8.1.12, 9.0.6, and all 8.0
7.1 <7.1.26, 8.1 <8.1.12, 9.0 <9.0.6, 8.0 all+ 1 more
- (no CPE)range: 7.1 <7.1.26, 8.1 <8.1.12, 9.0 <9.0.6, 8.0 all
- (no CPE)range: 8.0.*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- security.paloaltonetworks.com/CVE-2020-2018mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.