Palo Alto Networks warns of a high-severity DoS vulnerability (CVE-2026-0227) enabling unauthenticated attackers to disable firewall protections, with urgent patching required for affected PAN-OS devices and Prisma Access configurations.
Palo Alto Networks has issued a critical security alert regarding a high-severity vulnerability that could allow attackers to remotely disable firewall defenses through denial-of-service attacks. This flaw, tracked as CVE-2026-0227, impacts next-generation firewalls running PAN-OS 10.1 or later when GlobalProtect gateway or portal features are enabled.
The vulnerability enables unauthenticated attackers to repeatedly trigger a maintenance mode state that disables firewall protections. According to Palo Alto Networks' advisory: "Repeated attempts to trigger this issue results in the firewall entering into maintenance mode." This could leave networks defenseless against follow-on attacks.
Internet security watchdog Shadowserver has identified nearly 6,000 Palo Alto Networks firewalls publicly exposed online. While not all may be vulnerable, the widespread exposure underscores the attack surface:
Caption: Palo Alto Networks firewalls exposed online (Shadowserver)
Affected Systems:
- PAN-OS firewalls (versions 10.1+ with GlobalProtect enabled)
- Prisma Access configurations
Patch Status:
- Cloud NGFW: Fully patched
- Prisma Access: Most instances upgraded, remainder scheduled
- On-premises firewalls: Require manual patching
Urgent Upgrade Paths:
| PAN-OS Version | Affected Minor Versions | Required Update |
|---|---|---|
| 12.1 | 12.1.0 - 12.1.3 | 12.1.4+ |
| 11.2 | 11.2.8 - 11.2.10 | 11.2.10-h2+ |
| 11.2 | 11.2.5 - 11.2.7 | 11.2.7-h8+ |
| 11.1 | 11.1.11 - 11.1.12 | 11.1.13+ |
| 10.2 | 10.2.17 - 10.2.18 | 10.2.18-h1+ |
| Unsupported | All | Upgrade to supported version |
Broader Threat Context: Palo Alto firewalls remain prime targets for attackers. Recent incidents include:
- November 2024: Exploitation of PAN-OS zero-days granting root access
- December 2024: Active attacks leveraging CVE-2024-3393 DoS vulnerability
- February 2025: Chained exploitation of three vulnerabilities (CVE-2025-0111, CVE-2025-0108, CVE-2024-9474)
- Recent brute-force campaigns targeting GlobalProtect portals from over 7,000 IPs
Actionable Recommendations:
- Immediately verify GlobalProtect status: Disable if not essential
- Apply the latest PAN-OS updates using provided version paths
- Monitor firewall logs for maintenance mode triggers
- Review firewall exposure: Limit public internet access to management interfaces
- Prioritize Prisma Access upgrades if using cloud firewalls
While Palo Alto Networks reports no current exploitation of CVE-2026-0227, the pattern of rapid weaponization of similar vulnerabilities means organizations should treat patching as critical. With over 70,000 global customers relying on Palo Alto defenses—including major financial institutions and government agencies—prompt remediation is essential to prevent potential network compromises.
For patch details and mitigation guidance, consult Palo Alto Networks' official advisory.
Comments
Please log in or register to join the discussion