Version Minor Version Suggested Solution PAN-OS 11.2 11.2.0 through 11.2.2 Upgrade to 11.2.3 or laterPAN-OS 11.1 11.1.0 through 11.1.4 Upgrade to 11.1.5 or later PAN-OS 11.011.0.0 through 11.0.5Upgrade to 11.0.6 or laterPAN-OS 10.2 10.2.10 Upgrade to 10.2.10-h6 or 10.2.11 or later  10.2.5 through 10.2.9Upgrade to 10.2.9-h13 or 10.2.11 or later 10.2.0 through 10.2.4Upgrade to 10.2.4-h25 or 10.2.11 or laterPAN-OS 10.1 10.1.0 through 10.1.14 Upgrade to 10.1.14-h11 or later All other older unsupported PAN-OS versions Upgrade to a supported fixed version. PAN-OS 11.0 is EoL. We listed it in this section for completeness because we added a patch for PAN-OS 11.0 before it reached EoL. If you are running PAN-OS 11.0 in any of your firewalls, we strongly recommend that you upgrade from this EoL vulnerable version to a fixed version. We proactively initiated an upgrade of Prisma Access on March 21, 2025, to cover all tenants.

This issue impacts only firewalls on which you configured a GlobalProtect portal to use SAML Authentication. You can verify whether you configured GlobalProtect portal by checking for entries in your firewall web interface (Network → GlobalProtect → Portals). If you do have GlobalProtect portals or gateways in your configuration, then you can verify whether you configured SAML Authentication on these portals by checking your firewall web interface (Network → GlobalProtect → Portals → (portal-config) → Authentication).

This issue can be mitigated using a different form of authentication for the GlobalProtect portal (such as Client Certificate Authentication, RADIUS, TACACS+, LDAP, or Kerberos). For more information about configuring authentication for the GlobalProtect portal see this technical documentation https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-web-interface-help/globalprotect/network-globalprotect-portals/globalprotect-portals-authentication-configuration-tab .

Palo Alto Networks is not aware of any malicious exploitation of this issue.