Palo Alto Networks addressed a GlobalProtect flaw, PoC exists
Pierluigi Paganini
January 15, 2026
Palo Alto Networks addressed a flaw impacting GlobalProtect Gateway and Portal, for which a proof-of-concept (PoC) exploit exists.
Palo Alto Networks addressed a high-severity vulnerability, tracked as CVE-2026-0227 (CVSS score: 7.7), affecting GlobalProtect Gateway and Portal, for which a proof-of-concept (PoC) exploit exists.
GlobalProtect is Palo Alto Networks’ VPN and secure remote-access solution. It gives users a protected connection to their organization’s network by routing their traffic through a Palo Alto firewall, which applies the same security controls used inside the corporate environment.
The flaw affects Palo Alto Networks PAN-OS and allows an attacker to disrupt a firewall without authentication.
“A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall.” reads the advisory. “Repeated attempts to trigger this issue results in the firewall entering into maintenance mode.”
By repeatedly exploiting the vulnerability, an attacker can force the device into maintenance mode, causing a denial-of-service condition that interrupts network traffic and firewall protection until administrators intervene.
Below is the list of the impacted versions:
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 12.1 | < 12.1.3-h3 < 12.1.4 |
>= 12.1.3-h3 >= 12.1.4 |
| PAN-OS 11.2 | < 11.2.4-h15 < 11.2.7-h8 < 11.2.10-h2 |
>= 11.2.4-h15 (ETA: 1/14/2026) >= 11.2.7-h8 >= 11.2.10-h2 |
| PAN-OS 11.1 | < 11.1.4-h27 < 11.1.6-h23 < 11.1.10-h9 < 11.1.13 |
>= 11.1.4-h27 >= 11.1.6-h23 >= 11.1.10-h9 >= 11.1.13 |
| PAN-OS 10.2 | < 10.2.7-h32 < 10.2.10-h30 < 10.2.13-h18 < 10.2.16-h6 < 10.2.18-h1 |
>= 10.2.7-h32 >= 10.2.10-h30 >= 10.2.13-h18 >= 10.2.16-h6 >= 10.2.18-h1 |
| PAN-OS 10.1 | < 10.1.14-h20 | >= 10.1.14-h20 |
| Prisma Access 11.2 | < 11.2.7-h8* | >= 11.2.7-h8* |
| Prisma Access 10.2 | < 10.2.10-h29* | >= 10.2.10-h29* |
The cybersecurity vendor states that the vulnerability affects only PAN-OS or Prisma Access setups where the GlobalProtect gateway or portal is enabled.
The vulnerability doesn’t impact Cloud Next-Generation Firewall (NGFW). At the time of this writing, Palo Alto Networks is not aware of attacks in the wild exploiting this vulnerability.
In December 2025, a hacking campaign started targeting GlobalProtect logins and scanning SonicWall APIs since December 2, 2025.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, GlobalProtect)