Palo Alto Networks has issued urgent security updates to address a critical denial-of-service (DoS) vulnerability in its GlobalProtect Gateway and Portal software. The flaw, identified as CVE-2026-0227, allows unauthenticated attackers to crash firewalls, potentially leading to extended downtime and disruption of network security services. A proof-of-concept exploit for this vulnerability is already in circulation, heightening the urgency for administrators to apply the patches.

Key Takeaways

• A critical DoS vulnerability (CVE-2026-0227) affects Palo Alto Networks' GlobalProtect.

• Attackers can crash firewalls without needing any authentication.

• Patches are available for multiple PAN-OS and Prisma Access versions.

• There are no workarounds; immediate patching is advised.

Vulnerability Details

The vulnerability, rated with a CVSS score of 7.7, stems from an improper check for exceptional conditions within the PAN-OS software. This weakness enables an unauthenticated attacker to trigger a denial-of-service condition. Repeated exploitation attempts can force the affected firewall into maintenance mode, rendering it inoperable and compromising network security. The issue was discovered and reported by an external security researcher.

Affected Versions and Mitigation

The vulnerability impacts specific versions of PAN-OS and Prisma Access when a GlobalProtect gateway or portal is enabled. Cloud Next-Generation Firewall (NGFW) configurations are not affected. Palo Alto Networks has released security updates for all vulnerable versions, and administrators are strongly advised to upgrade immediately. There are no workarounds available to mitigate this flaw, making patching the only solution.

Affected PAN-OS versions include:

• PAN-OS 12.1: Versions prior to 12.1.3-h3 and 12.1.4

• PAN-OS 11.2: Versions prior to 11.2.4-h15, 11.2.7-h8, and 11.2.10-h2

• PAN-OS 11.1: Versions prior to 11.1.4-h27, 11.1.6-h23, 11.1.10-h9, and 11.1.13

• PAN-OS 10.2: Versions prior to 10.2.7-h32, 10.2.10-h30, 10.2.13-h18, 10.2.16-h6, and 10.2.18-h1

• PAN-OS 10.1: Versions prior to 10.1.14-h20

Prisma Access versions affected include:

• Prisma Access 11.2: Versions prior to 11.2.7-h8

• Prisma Access 10.2: Versions prior to 10.2.10-h29

Threat Landscape and Recommendations

While Palo Alto Networks has stated there is no current evidence of this specific vulnerability being exploited in the wild, the existence of a proof-of-concept exploit and the known targeting of GlobalProtect gateways by malicious actors underscore the critical need for prompt patching. Exposed GlobalProtect gateways have experienced significant scanning activity in the past year, making them prime targets. Organizations are urged to consult Palo Alto Networks' advisories for detailed upgrade instructions and ensure their systems are secured against potential attacks.

Sources

• Palo Alto Fixes GlobalProtect DoS Flaw That Can Crash Firewalls Without Login, The Hacker News.

• Palo Alto Networks warns of DoS bug letting hackers disable firewalls, BleepingComputer.