CVE-2021-3060

HIGH

PAN-OS <8.1.20-h1, <9.0.14-h3, <9.1 - Code Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-3060. PoCs published by timb-machine-mirrors, anmolksachan.

AI-analyzed exploit summary This exploit leverages CVE-2021-3060, a command injection vulnerability in Palo Alto Networks GlobalProtect SSL VPN. It crafts malicious SCEP requests to create a webshell and execute arbitrary commands as root via OpenSSL engine loading.

Description

An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. The attacker must have network access to the GlobalProtect interfaces to exploit this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customers with Prisma Access 2.1 Preferred and Prisma Access 2.1 Innovation firewalls are impacted by this issue.

Exploits (2)

nomisec WORKING POC 1 stars

by timb-machine-mirrors · poc

https://github.com/timb-machine-mirrors/rqu1-cve-2021-3060.py

View Code ZIP pw:eip

This exploit leverages CVE-2021-3060, a command injection vulnerability in Palo Alto Networks GlobalProtect SSL VPN. It crafts malicious SCEP requests to create a webshell and execute arbitrary commands as root via OpenSSL engine loading.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Palo Alto Networks GlobalProtect SSL VPN (PAN-OS)

No auth needed

Prerequisites: Network access to vulnerable GlobalProtect portal · SCEP profile name

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by anmolksachan · poc

https://github.com/anmolksachan/CVE-2021-3060

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-3060, an OS command injection vulnerability in Palo Alto Networks' PAN-OS SCEP feature. The exploit chains command injection to achieve remote code execution (RCE) as root by creating a webshell, uploading a malicious shared library, and loading it via OpenSSL.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PAN-OS (versions before 8.1.20-h1, 9.0.14-h3, 9.1.11-h2, 10.0.8, 10.1.3)

No auth needed

Prerequisites: Network access to GlobalProtect interfaces · Knowledge of the SCEP profile name

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory x_refsource_misc

https://security.paloaltonetworks.com/CVE-2021-3060

Vendor Advisory x_refsource_misc

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/certificate-management/configure-the-master-key.html

Vendor Advisory x_refsource_misc

https://docs.paloaltonetworks.com/prisma/prisma-access/innovation/2-1/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/get-started-with-prisma-access-overview.html

Scores

CVSS v3 8.1

EPSS 0.3387

EPSS Percentile 98.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (2)

paloaltonetworks/pan-os 8.1.0 - 8.1.20

paloaltonetworks/prisma_access 2.1 (2 CPE variants)

Published Nov 10, 2021

Tracked Since Feb 18, 2026