Palo Alto Networks PAN-OS GlobalProtect DoS Vulnerability (CVE-2026-0227)
Palo Alto Networks released fixes for CVE-2026-0227, a high-severity denial-of-service vulnerability in PAN-OS that can be triggered by an unauthenticated attacker when the GlobalProtect gateway or portal is enabled on affected next-generation firewall and Prisma Access configurations. Repeated exploitation attempts can force impacted firewalls into maintenance mode, effectively disabling protections and causing service disruption; Palo Alto Networks stated there are no workarounds and advised upgrading to patched releases.
Reporting indicates a proof-of-concept (PoC) exploit exists, although Palo Alto Networks said it had no evidence of in-the-wild exploitation at the time of advisory publication. Exposure risk remains material given the large number of internet-facing Palo Alto Networks firewalls observed online (with Shadowserver tracking roughly 6,000 exposed devices) and ongoing scanning activity historically targeting exposed GlobalProtect endpoints; administrators should prioritize patching across affected PAN-OS and Prisma Access versions and validate whether GlobalProtect is enabled on externally reachable interfaces.
Timeline
Jan 15, 2026
Reports highlight exposure of internet-facing Palo Alto firewalls
Coverage of the disclosure noted Shadowserver reporting nearly 6,000 Palo Alto Networks firewalls exposed online, though it was unclear how many were vulnerable or already patched. The reporting emphasized the risk to organizations with internet-accessible GlobalProtect services.
Jan 15, 2026
Palo Alto Networks says PoC exists but no active exploitation observed
In its advisory, Palo Alto Networks stated that a proof-of-concept exploit for CVE-2026-0227 exists, but it had not observed exploitation in the wild at the time of disclosure. The company also noted there are no workarounds, making patching the primary mitigation.
Jan 15, 2026
Palo Alto Networks discloses and patches CVE-2026-0227 in GlobalProtect
Palo Alto Networks disclosed and released fixes for CVE-2026-0227, a high-severity denial-of-service flaw in PAN-OS GlobalProtect Gateway and Portal that can be triggered by an unauthenticated attacker. The bug affects supported PAN-OS and certain Prisma Access versions when GlobalProtect is enabled, and fixed releases were provided across multiple branches.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Palo Alto PAN-OS Vulnerabilities Including ADNS DoS (CVE-2026-0229)
Palo Alto Networks published fixes for multiple **PAN-OS** vulnerabilities affecting supported releases (including PAN-OS 12.1, 11.2, 11.1, and 10.2) and related services such as *Prisma Access* and *Prisma Browser*. The Canadian Centre for Cyber Security amplified the vendor guidance, pointing organizations to apply updates and mitigations for PAN-OS and Prisma products, including **CVE-2026-0228** and **CVE-2026-0229**, and a separate Chromium monthly update advisory referenced by Palo Alto. **CVE-2026-0229** is a network-reachable denial-of-service condition in PAN-OS’s **Advanced DNS Security (ADNS)** feature that can allow an unauthenticated attacker to trigger system reboots with a maliciously crafted packet; repeated triggering can push a firewall into maintenance mode, creating a high availability impact. Exposure requires ADNS to be enabled and a spyware profile action set to `block`, `sinkhole`, or `alert` (i.e., not `allow`); Palo Alto stated *Cloud NGFW* and *Prisma Access* are not impacted by this specific issue and reported no known exploitation. **CVE-2026-0228** involves improper certificate validation that can allow Windows Terminal Server Agents to connect using expired certificates under certain configurations, with no workaround noted by the vendor; affected organizations are advised to upgrade to fixed PAN-OS versions per Palo Alto’s guidance.
1 months ago
Critical Palo Alto GlobalProtect Command Injection Led to Active Exploitation
A critical command injection flaw in **Palo Alto Networks GlobalProtect** exposed internet-facing devices running affected `PAN-OS` versions to unauthenticated remote code execution with **root-level access**. Palo Alto confirmed the vulnerability was being exploited in the wild, and **CISA** added it to the **Known Exploited Vulnerabilities (KEV)** catalog. The issue affected systems with GlobalProtect enabled on `PAN-OS 10.2`, `11.0`, and `11.1`, and public proof-of-concept exploit code increased the urgency for defenders to patch. Finland’s National Cyber Security Centre said it issued a serious warning after receiving the first breach notifications tied to the flaw and identified several hundred potentially vulnerable Palo Alto devices in domestic networks. About 15 incident reports related to Palo Alto devices were received, though no more serious breach cases were identified. Early vendor guidance that disabling telemetry could mitigate risk was later deemed insufficient, prompting a shift to immediate patching; fixes were released for supported branches including `10.2.9-h1`, `11.0.4-h1`, and `11.1.2-h3`, after which the Finnish warning was withdrawn as the threat subsided.
1 weeks ago
Active Exploitation of PAN-OS Captive Portal Flaw Gives Attackers Root on Firewalls
Palo Alto Networks disclosed **CVE-2026-0300**, a critical buffer overflow in the PAN-OS **User-ID Authentication Portal** (also called the Captive Portal) that is being exploited in the wild to achieve unauthenticated remote code execution with **root privileges**. The flaw is an out-of-bounds write triggered by specially crafted packets and affects exposed **PA-Series** and **VM-Series** firewalls running multiple PAN-OS 10.2, 11.1, 11.2, and 12.1 versions. Palo Alto assigned the issue a **CVSS 9.3** when the portal is reachable from the public internet or other untrusted networks, and **8.7** when access is limited to trusted internal IP addresses. The company said observed attacks have focused on Authentication Portal instances exposed to untrusted IP addresses, while **Prisma Access**, **Cloud NGFW**, and **Panorama** are not affected. At disclosure, fixes were not yet broadly available, with patch releases scheduled to begin in mid-May and continue through late May 2026. Palo Alto urged customers to immediately restrict portal access to trusted zones or internal IPs, or disable the Authentication Portal if it is not required, and said a **Threat Prevention Signature** for PAN-OS 11.1 and later was released as an added mitigation layer.
Today