Security & Attack Surface

Security Posture: GlobalProtect Attack Surface vs NetBird

Executive Summary

GSISG’s GlobalProtect deployment at vpn.gsisg.com running on a PA-2020 firewall represents a severe and compounding security liability. The PA-2020 reached End-of-Sale on April 30, 2015 and End-of-Service-Life on April 30, 2020 — it has been unsupported for nearly six years. The maximum PAN-OS version it can run is 7.1 (itself EOL since June 30, 2020), meaning it cannot receive patches for any CVE discovered after mid-2020. The device’s TLS configuration (TLS 1.0/1.1 enabled, 3DES ciphers, no forward secrecy, unsafe legacy renegotiation) represents deprecated, exploitable cryptography.

Meanwhile, a massive, ongoing credential-spraying campaign has been targeting GlobalProtect portals since December 2025, with 1.7 million login attempts recorded in a single 16-hour window and continued waves observed through at least February 2026. The PA-2020 at vpn.gsisg.com is a sitting target for this campaign.

NetBird presents a fundamentally different security architecture: no exposed login portal (eliminating credential spraying entirely), WireGuard-based encryption with formally verified cryptography, identity-provider-delegated authentication, optional post-quantum key exchange via Rosenpass, and a minimal CVE history. The security delta between the two solutions is not incremental — it is categorical.

Findings

1. GlobalProtect Credential-Spraying Campaign (December 2025+)

Timeline and Scale:

Late November 2025: Unusual scanning activity targeting GlobalProtect portals begins (GreyNoise).
December 11, 2025 (Peak): GreyNoise detects 1.7 million login sessions targeting GlobalProtect portals in just 16 hours. Over 10,000 unique source IP addresses participated.
February 23, 2026: ELLIO’s deception network records an 11x spike in scanning activity. Over 48 hours, approximately 30,000 sessions from 8,575 unique IPs across three distinct waves, using 78 employee-style usernames and a single password (Password1).
March 2026: No direct evidence of cessation. The campaign is assessed as ongoing.

Attribution: Primary hosting infrastructure: 3xK GmbH (Germany) in the December wave. February 2026 wave: GTT Communications (AS3257). Assessed as professional, automated, infrastructure-backed credential probing at scale.

Impact on GSISG: vpn.gsisg.com has a publicly exposed GlobalProtect portal. If it lacks MFA and rate limiting (likely on PAN-OS 7.1), it is directly exposed to this ongoing campaign.

2. Critical CVEs Affecting Palo Alto PAN-OS

CVE-2024-3400 (CVSS 10.0 CRITICAL)

Command injection via arbitrary file creation in GlobalProtect feature
Unauthenticated RCE with root privileges
PA-2020: NOT DIRECTLY AFFECTED — requires PAN-OS 10.2+

CVE-2024-0012 (CVSS 9.3 CRITICAL)

Authentication bypass in PAN-OS management web interface
Active in the wild since November 2024 (“Operation Lunar Peek”), 2,000+ instances compromised worldwide
PA-2020: NOT DIRECTLY AFFECTED — requires PAN-OS 10.2+

Critical Observation: While these specific CVEs do not directly affect the PA-2020 (which maxes out at PAN-OS 7.1), this is not a security advantage. PAN-OS 7.1 has received no security updates for nearly 6 years. Any vulnerabilities in PAN-OS 7.1 are permanently unpatched. The device is running on a version so old it falls outside the scope of modern vulnerability research.

The PA-2020’s real vulnerability exposure includes:

All unpatched vulnerabilities in PAN-OS 7.1 and below
TLS/cipher vulnerabilities (Sweet32/3DES, BEAST/TLS 1.0, Lucky13/TLS 1.1)
No support for modern TLS 1.3
No forward secrecy capability
Unsafe legacy TLS renegotiation (CVE-2009-3555)

3. PA-2020 End-of-Life Status

Milestone	Date
End-of-Sale (EOS)	April 30, 2015
End-of-Service-Life (EOSL)	April 30, 2020
Maximum PAN-OS Version	PAN-OS 7.1
PAN-OS 7.1 EOL	June 30, 2020
Last PAN-OS 7.1 release	7.1.26 (April 30, 2020)
Recommended replacement	PA-1400 Series

The PA-2020 has been end-of-sale for over 11 years and end-of-support for nearly 6 years. No security updates of any kind are available.

4. WireGuard vs IPsec/SSL Security Model

Cipher Suites

Aspect	WireGuard (NetBird)	GlobalProtect IPsec/SSL
Symmetric Encryption	ChaCha20-Poly1305 (AEAD)	Configurable: AES-128/256-CBC/GCM, 3DES (PA-2020 uses 3DES)
Key Exchange	Curve25519 (ECDH)	Configurable: DH groups, RSA
Forward Secrecy	Built-in (ephemeral keys per handshake)	Optional, configuration-dependent
Cipher Negotiation	None — single fixed suite	Full negotiation (attack surface for downgrade)

Code Size & Attack Surface

Metric	WireGuard	IPsec (OpenSwan)	OpenVPN/OpenSSL
Lines of Code	~4,000	~100,000+	~100,000+
Cipher Suite Options	1 (fixed)	Dozens (including legacy)	Dozens
Kernel Integration	Linux kernel mainline (since 5.6)	Kernel + userspace (complex)	Userspace only

Formal Verification

WireGuard has undergone extensive formal verification — a rarity among VPN protocols:

Tamarin symbolic verification (Donenfeld & Milner): Verified correctness, strong key agreement, key-compromise impersonation resistance, forward secrecy, session uniqueness, identity hiding.
Computational proof (eCK Model) (Dowling & Paterson): Security proved in the computational model.
CryptoVerif mechanized proof: Additional computer-aided computational verification.
ProVerif symbolic verification (Kobeissi): Comprehensive Noise framework analysis.
NDSS 2024 unified analysis (SAPIC+/TAMARIN/ProVerif): Most complete analysis, confirming all security properties.
Verified C Implementation of Curve25519: The cryptographic primitive itself has been formally verified.

IPsec has NOT undergone comparable formal verification. Its large codebase and numerous cipher suite combinations make comprehensive formal verification infeasible.

5. NetBird Authentication Model

Why credential spraying is architecturally impossible against NetBird:

No exposed login portal. There is no web-based login page on the public internet. No URL for attackers to send credentials to.
Authentication is delegated to IdPs via OIDC (Entra ID, Okta, Google Workspace, etc.). The IdP handles MFA enforcement, rate limiting, and brute-force protection.
Peer registration requires either interactive IdP login (browser redirect, not scriptable) or a setup key (pre-generated token, not a username/password).
WireGuard Cryptokey Routing. Each peer authenticates via its WireGuard public key. Without a valid cryptographic identity, the connection is silently dropped.
No listening ports on protected resources. An attacker cannot even discover that NetBird is in use.

6. NetBird CVE History

CVE-2025-10678 (Use of Default Credentials)

Severity: Medium
Description: Self-hosted instances installed via the provided script retained a default admin credential.
Fixed in: v0.57.0. Self-hosted only; not a protocol vulnerability.

CVE-2024-41260 (Static Initialization Vector)

Severity: 7.5 HIGH
Description: Static IV in encrypt function could allow information disclosure of email addresses — requires pre-existing database access.
Fixed in: v0.29.1+. Server-side management only; does not affect the WireGuard data plane.

Overall Assessment: NetBird has no critical protocol or architectural vulnerabilities. The WireGuard data plane has never been compromised.

7. Device Compromise & Revocation

If a laptop with always-on NetBird VPN is stolen:

Peer deletion from management dashboard: device immediately loses authorization, connection drops within seconds.
IdP-driven revocation: Deactivate the user in Entra ID; NetBird access revoked at next sync/token refresh.
Login expiration: Configurable peer login expiration forces re-authentication; stolen device with expired session cannot reconnect.
Micro-segmentation: Access policies limit reachable resources regardless of connection status.
Group-based isolation: Move compromised peer to an isolated group with no access policies.

8. Rosenpass Post-Quantum Key Exchange

Rosenpass provides post-quantum key exchange using Classic McEliece + ML-KEM (NIST standard). It operates as a sidecar to WireGuard, providing hybrid security — breaking the connection requires defeating BOTH classical Curve25519 AND post-quantum algorithms.

Available since: NetBird v0.25.4
Activation: netbird up --enable-rosenpass
PSK rotation: Every 2 minutes
Status: Experimental — desktop only, not supported on mobile

9. Zero Trust vs Zone-Based Security

Aspect	GlobalProtect (Zone-Based)	NetBird (Zero Trust)
Trust Model	Perimeter-based: VPN = trusted zone	Every connection verified independently
Network Model	Centralized hub-and-spoke	Decentralized peer-to-peer mesh
Access Granularity	Zone-based policies, IP-based rules	Identity-based, per-resource policies
Authentication	Username/password to exposed portal	IdP-delegated OIDC + WireGuard cryptographic identity
Lateral Movement	Limited only by internal firewall rules	Each resource requires explicit policy; default deny
Single Point of Failure	VPN concentrator (firewall)	No SPOF: P2P mesh, multiple relay servers

Gaps & Uncertainties

Credential spraying campaign status post-February 2026 — assessed as ongoing but not directly confirmed.
PA-2020 exact PAN-OS version at vpn.gsisg.com — could be older than 7.1, which would be worse.
Undisclosed PAN-OS 7.1 vulnerabilities — inherently unknowable; researchers no longer test against it.
Self-hosted SIEM streaming — only available in cloud version; self-hosted requires custom log forwarding.

Sources

Credential Campaign: GreyNoise blog, BleepingComputer, ELLIO GlobalProtect analysis, CybersecurityDive

CVEs: NVD (CVE-2024-3400, CVE-2024-0012, CVE-2024-9474), Palo Alto Security Advisories

End-of-Life: Palo Alto EoL pages, Park Place Technologies, Procurri

WireGuard Security: wireguard.com/formal-verification, NDSS 2024 paper, MIT 6.857 audit

NetBird Security: trust.netbird.io, CERT Polska (CVE-2025-10678), NVD (CVE-2024-41260), NetBird Knowledge Hub