Palo Alto Networks has released security updates to address a high‑severity denial-of-service (DoS) vulnerability in PAN-OS that could allow unauthenticated attackers to repeatedly crash firewalls configured with GlobalProtect, forcing them into maintenance mode and disrupting network availability.
The flaw, tracked as CVE-2026-0227, carries a CVSS Base score of 8.7 and affects both on‑premises PAN-OS next-generation firewalls (NGFW) and Prisma Access deployments with GlobalProtect gateway or portal enabled.
DoS Flaw In GlobalProtect Gateway and Portal
According to Palo Alto Networks’ advisory, CVE-2026-0227 is caused by an improper check for unusual or exceptional conditions in the PAN-OS implementation of the GlobalProtect gateway and portal, mapping to CWE‑754 and CAPEC‑210 (Abuse Existing Functionality).
An unauthenticated remote attacker can exploit this logic flaw over the network to trigger a DoS condition, causing the targeted firewall to stop processing traffic and, if repeatedly abused, to enter maintenance mode where it requires administrative intervention to recover normal operations.
The issue is exposed only when a PAN-OS NGFW or Prisma Access tenant has an active GlobalProtect gateway or portal, meaning environments that do not use GlobalProtect are not impacted by this specific vulnerability.
Palo Alto Networks reports no evidence of malicious exploitation in the wild so far, but notes that a proof‑of‑concept (PoC) exploit exists and rates the severity as HIGH with a “MODERATE” suggested urgency under its CVSS 4.0 breakdown (CVSS‑BT 7.7 / CVSS‑B 8.7).
Affected Versions, Fixes, and Guidance
The vulnerability impacts multiple PAN-OS 10.1, 10.2, 11.1, 11.2, and 12.1 branches, while Cloud NGFW is listed as unaffected.
Affected PAN-OS versions include 12.1.0–12.1.3 (and 12.1.3 before hotfix h3), 11.2.0–11.2.10 before hotfix levels 11.2.4‑h15, 11.2.7‑h8, and 11.2.10‑h2, 11.1.0–11.1.12 before hotfixes 11.1.4‑h27, 11.1.6‑h23, 11.1.10‑h9, and 11.1.13, and 10.2.0–10.2.18 before fixed builds 10.2.7‑h32, 10.2.10‑h30, 10.2.13‑h18, 10.2.16‑h6, and 10.2.18‑h1, as well as PAN‑OS 10.1 earlier than 10.1.14‑h20.
Prisma Access tenants are vulnerable on 11.2 prior to 11.2.7‑h8 and 10.2 prior to 10.2.10‑h29, with most customers already upgraded and remaining tenants scheduled via the standard upgrade process.
Palo Alto Networks’ recommended remediation is to upgrade to the nearest fixed PAN-OS maintenance release: for example, 12.1.0–12.1.3 users should move to 12.1.4 or later, 11.2.8–11.2.10 to 11.2.10‑h2 or later, and 10.2.17–10.2.18 to 10.2.18‑h1 or later; older unsupported PAN-OS versions should be upgraded to a supported fixed train.
There are no workarounds or mitigations available, so organizations running GlobalProtect gateways or portals on affected PAN-OS or Prisma Access versions should prioritize patching to prevent attackers from abusing this DoS flaw to disable perimeter firewalls and cause outage‑scale disruption.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.