Palo Alto Networks has released security updates to fix a denial-of-service (DoS) vulnerability in its PAN-OS firewall software. The issue, tracked as CVE-2026-0227, could allow unauthenticated attackers to disrupt GlobalProtect gateways and portals, forcing affected firewalls into maintenance mode.
The vulnerability has a CVSS v4.0 score of 7.7 (High severity) and was publicly disclosed on January 14, 2026. Palo Alto Networks confirmed that Cloud NGFW is not affected, but several on-premise and Prisma Access deployments are impacted.
What Is the Issue?
The flaw is caused by improper handling of unexpected conditions in PAN-OS. By repeatedly triggering the issue over the network, an attacker can cause the firewall to enter maintenance mode, resulting in a service outage.
No authentication, user interaction, or special privileges are required, making the attack low complexity and easy to automate. While the issue affects availability, it does not impact data confidentiality or integrity.
Palo Alto Networks has confirmed that proof-of-concept (PoC) code exists, although there is currently no evidence of active exploitation.
When Are Systems at Risk?
Systems are vulnerable if GlobalProtect gateways or portals are enabled, which is common in environments that support remote access. The issue affects multiple PAN-OS versions across both legacy and current branches.
Affected and Fixed Versions
| Product | Affected Versions | Fixed Versions |
|---|---|---|
| PAN-OS 12.1 | Earlier than 12.1.3-h3, 12.1.4 | 12.1.3-h3, 12.1.4 |
| PAN-OS 11.2 | Earlier than 11.2.4-h15, 11.2.7-h8, 11.2.10-h2 | 11.2.4-h15, 11.2.7-h8, 11.2.10-h2 |
| PAN-OS 11.1 | Earlier than 11.1.4-h27, 11.1.6-h23, 11.1.10-h9, 11.1.13 | Patched releases listed |
| PAN-OS 10.2 | Earlier than 10.2.7-h32 through 10.2.18-h1 | Corresponding hotfixes |
| PAN-OS 10.1 | Earlier than 10.1.14-h20 | 10.1.14-h20 |
| Prisma Access 11.2 | Earlier than 11.2.7-h8 | 11.2.7-h8 |
| Prisma Access 10.2 | Earlier than 10.2.10-h29 | 10.2.10-h29 |
What Should Administrators Do?
Palo Alto Networks recommends upgrading immediately, as no workaround is available for this vulnerability. Administrators should move to the latest hotfix releases, such as PAN-OS 12.1.4 or 11.2.10-h2, depending on their deployment.
Organizations are also advised to:
- Review GlobalProtect configurations
- Monitor firewall logs for repeated connection attempts
- Watch for signs of DoS activity while PoC code is publicly available
Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!
Leave A Comment