PAN-OS GlobalProtect DoS Vulnerability Could Force Firewalls into Maintenance Mode

Published Date: January 15, 2026
Category: ShadowOpsIntel
Share:

CVE-2026-0227 is a Denial of Service (DoS) vulnerability found in Palo Alto Networks PAN-OS devices configured with GlobalProtect Gateway or Portal. An unauthenticated remote attacker can repeatedly trigger the flaw, forcing affected firewalls into maintenance mode, leading to service unavailability. The issue is rated High severity (CVSS 7.7) and affects several PAN-OS and Prisma Access versions prior to the latest patched releases.

Severity: High

Vulnerability Details

  • CVE ID: CVE-2026-0227
  • CVSS Score: 7.7
  • CWE ID: CWE-754 – Improper Check for Unusual or Exceptional Conditions
  • Description: A flaw in PAN-OS software improperly handles exceptional or unexpected network conditions within GlobalProtect components. Exploitation allows a remote attacker without credentials or user interaction to send crafted network packets that consume system resources and cause a DoS state. Repeated exploitation forces the firewall to enter maintenance mode, effectively disabling normal traffic processing and VPN services.
  • Scope: Limited to firewalls and Prisma Access instances running GlobalProtect.
  • Exploitation Status: No malicious exploitation observed in the wild as of January 15 2026

Affected Products

This vulnerability affects the following product families when the GlobalProtect Gateway or Portal feature is enabled:

ProductAffected VersionsFixed Versions
PAN-OS 12.1< 12.1.3-h3, < 12.1.4≥ 12.1.3-h3 or ≥ 12.1.4
PAN-OS 11.2< 11.2.4-h15, < 11.2.7-h8, < 11.2.10-h2≥ 11.2.4-h15, ≥ 11.2.7-h8, ≥ 11.2.10-h2
PAN-OS 11.1< 11.1.4-h27, < 11.1.6-h23, < 11.1.10-h9, < 11.1.13>= 11.1.4-h27, >= 11.1.6-h23, >= 11.1.10-h9, ≥ 11.1.13
PAN-OS 10.2< 10.2.7-h32, < 10.2.10-h30, < 10.2.13-h18, < 10.2.16-h6, < 10.2.18-h1>= 10.2.7-h32, >= 10.2.10-h30, >= 10.2.13-h18, >= 10.2.16-h6, ≥ 10.2.18-h1
PAN-OS 10.1< 10.1.14-h20≥ 10.1.14-h20
Prisma Access 11.2< 11.2.7-h8≥ 11.2.7-h8
Prisma Access 10.2< 10.2.10-h29≥ 10.2.10-h29

Recommendations

  1. Immediate upgrade to the fixed PAN-OS or Prisma Access versions listed above.
  2. Monitor system logs for repeated service disruptions or maintenance-mode triggers.
  3. Restrict GlobalProtect exposure to trusted IP ranges and enforce strict DoS protection profiles.

Source:

  • https://security.paloaltonetworks.com/CVE-2026-0227

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert