Palo Alto Networks has issued patches for its PAN-OS firewall platform after a researcher uncovered a high-severity vulnerability which could be exploited by attackers to cause a denial-of-service (DoS).
The flaw, identified as CVE-2026-0227 with a CVSS 7.7 (‘high’) severity rating, affects customers running PAN-OS NGFW (Next-Generation Firewall) or Prisma Access configurations with the company’s GlobalProtect remote access gateway or portal enabled.
Unpatched, this would make it possible for “an unauthenticated attacker to cause a denial of service to the firewall. Repeated attempts to trigger this issue results in the firewall entering into maintenance mode,” said Palo Alto’s advisory.
The company doesn’t spell out the implications of a firewall entering maintenance mode, but it’s hard to imagine it wouldn’t cause network outages as admins scrambled to address the issue.
Although Palo Alto Networks said it wasn’t aware of exploitation in the wild, the advisory also states that the issue was reported to it by an unnamed researcher, and that proof of concept (PoC) code exists.
Given that PoCs have a habit of leaking out or being independently reproduced, this makes Palo Alto’s description of the issue as being of “moderate urgency” read as optimistic.
This new vulnerability brings to mind an almost identical Palo Alto Networks DoS issue from late 2024, CVE-2024-3393, that also put affected firewalls into maintenance mode. On that occasion, attackers found out about the issue before patches appeared, making it a zero-day vulnerability.
More recently, in December, threat intelligence company GreyNoise noticed an uptick in automated login attempts targeting both GlobalProtect and Cisco VPNs, while earlier in 2025, PAN-OS was affected by a serious zero day flaw, CVE-2025-0108, that allowed attackers to bypass login authentication.
“According to Palo Alto Networks’ security advisories, the company has reported almost 500 vulnerabilities to date, many of which affected PAN-OS. A significant minority related to DoS issues,” a spokesperson for threat intelligence company Flashpoint observed. “[But] a notable portion of Palo Alto disclosures historically did not receive CVE identifiers, particularly older PAN-OS issues, which can complicate longitudinal comparison across vendors.”
Who is affected?
The good news is that most customers using the company’s cloud-delivered Secure Access Service Edge (SASE) platform, Prisma Access, have already been patched.
“We have successfully completed the Prisma Access upgrade for most of the customers, with the exception of few in progress due to conflicting upgrade schedules. Remaining customers are being promptly scheduled for an upgrade through our standard upgrade process,” said the advisory.
That leaves a not inconsiderable number of PAN-OS NGFW customers using the GlobalProtect gateway or portal who will need to apply the patch themselves. Although Palo Alto said there are no known workarounds, to mitigate the issue, it might be possible to temporarily disable the VPN interface at the cost of losing remote access until patching is complete.
Palo Alto Networks has published a detailed table of applicable patches which vary depending on the underlying PAN-OS version (12.1, 11.2, 11.1 10.2) in use. Versions older than 10.2 are unsupported; the fix is to update to a supported patched version.
Availability disruption
According to Flashpoint, a DoS state wouldn’t expose enterprises to a wider security threat. “Modern enterprise firewalls are designed to ‘fail closed’ rather than ‘fail open’. Entering maintenance mode due to a DoS condition is therefore more accurately characterized as a potential availability disruption than a direct security exposure,” said the spokesperson. “The core risk here appears to be resilience rather than compromise.”
This article originally appeared on NetworkWorld.
No Responses