Palo Alto’s GlobalProtect SSL VPN product line is vulnerable to a simple format string vulnerability with no authentication required! The sslmgr is the SSL gateway handling the SSL handshake between the server and clients. There is no output for this format string so that we can’t obtain any address-leak to verify the bug. All the GlobalProtect before July 2018 are vulnerable! Here is the affect version list:. The series 9.0x and 7.1x are not affected by this vulnerability.”]
Source: https://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html