Critical Palo Alto GlobalProtect Command Injection Led to Active Exploitation
A critical command injection flaw in Palo Alto Networks GlobalProtect exposed internet-facing devices running affected PAN-OS versions to unauthenticated remote code execution with root-level access. Palo Alto confirmed the vulnerability was being exploited in the wild, and CISA added it to the Known Exploited Vulnerabilities (KEV) catalog. The issue affected systems with GlobalProtect enabled on PAN-OS 10.2, 11.0, and 11.1, and public proof-of-concept exploit code increased the urgency for defenders to patch.
Finland’s National Cyber Security Centre said it issued a serious warning after receiving the first breach notifications tied to the flaw and identified several hundred potentially vulnerable Palo Alto devices in domestic networks. About 15 incident reports related to Palo Alto devices were received, though no more serious breach cases were identified. Early vendor guidance that disabling telemetry could mitigate risk was later deemed insufficient, prompting a shift to immediate patching; fixes were released for supported branches including 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3, after which the Finnish warning was withdrawn as the threat subsided.
Timeline
Feb 14, 2025
Palo Alto discloses exploited PAN-OS management interface vulnerability
Palo Alto disclosed a serious PAN-OS vulnerability affecting firewall management interfaces that allows an unauthenticated attacker to invoke certain PHP scripts and impact system integrity and confidentiality. The vendor released fixes for supported PAN-OS 10.1, 10.2, 11.1, and 11.2 versions, while noting exploitation attempts and public proof-of-concept code.
May 7, 2024
Finland removes Palo Alto GlobalProtect warning
The Finnish National Cyber Security Centre removed its earlier warning because the threat to organizations had subsided after affected devices were updated. This marked the de-escalation of the domestic response to the vulnerability.
May 7, 2024
Finnish authorities receive about 15 Palo Alto-related incident reports
During the response period, Finland’s National Cyber Security Centre received around 15 incident reports related to Palo Alto devices, though no more serious breach cases were identified. The reports reflected active domestic impact from the vulnerability.
Apr 18, 2024
Finland issues serious warning after first domestic breach notifications
Finland’s National Cyber Security Centre issued a serious warning about the Palo Alto GlobalProtect vulnerability after receiving the first incident notifications in Finland. The centre observed several hundred potentially vulnerable devices in domestic networks.
Apr 17, 2024
Palo Alto publishes broader fixed versions across PAN-OS branches
By 17 April 2024, Palo Alto had identified fixed releases including PAN-OS 10.2.9-h1, 11.0.4-h1, 11.1.2-h3, and later versions, with additional fixes for older maintenance branches. A Threat Prevention mitigation and support workflows for compromise checks remained available.
Apr 17, 2024
Need for patching becomes urgent as workaround proves insufficient
By 17 April 2024, it became clear that earlier guidance to disable telemetry was not sufficient protection, especially after proof-of-concept exploit code became public. Defenders were urged to install vendor patches immediately, and CISA had added the issue to its Known Exploited Vulnerabilities catalog.
Apr 14, 2024
Palo Alto releases initial fixes for GlobalProtect vulnerability
Palo Alto Networks published initial patches for a critical command injection vulnerability affecting GlobalProtect on PAN-OS 10.2, 11.0, and 11.1. The flaw could allow an unauthenticated remote attacker to gain root access and execute arbitrary code.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
2 more from sources like kyberturvallisuuskeskus alerts
Related Stories
Active Exploitation of PAN-OS Captive Portal Flaw Gives Attackers Root on Firewalls
Palo Alto Networks disclosed **CVE-2026-0300**, a critical buffer overflow in the PAN-OS **User-ID Authentication Portal** (also called the Captive Portal) that is being exploited in the wild to achieve unauthenticated remote code execution with **root privileges**. The flaw is an out-of-bounds write triggered by specially crafted packets and affects exposed **PA-Series** and **VM-Series** firewalls running multiple PAN-OS 10.2, 11.1, 11.2, and 12.1 versions. Palo Alto assigned the issue a **CVSS 9.3** when the portal is reachable from the public internet or other untrusted networks, and **8.7** when access is limited to trusted internal IP addresses. The company said observed attacks have focused on Authentication Portal instances exposed to untrusted IP addresses, while **Prisma Access**, **Cloud NGFW**, and **Panorama** are not affected. At disclosure, fixes were not yet broadly available, with patch releases scheduled to begin in mid-May and continue through late May 2026. Palo Alto urged customers to immediately restrict portal access to trusted zones or internal IPs, or disable the Authentication Portal if it is not required, and said a **Threat Prevention Signature** for PAN-OS 11.1 and later was released as an added mitigation layer.
Today
Palo Alto Networks PAN-OS GlobalProtect DoS Vulnerability (CVE-2026-0227)
Palo Alto Networks released fixes for **CVE-2026-0227**, a high-severity denial-of-service vulnerability in **PAN-OS** that can be triggered by an **unauthenticated** attacker when the **GlobalProtect gateway or portal** is enabled on affected next-generation firewall and *Prisma Access* configurations. Repeated exploitation attempts can force impacted firewalls into **maintenance mode**, effectively disabling protections and causing service disruption; Palo Alto Networks stated there are **no workarounds** and advised upgrading to patched releases. Reporting indicates a **proof-of-concept (PoC)** exploit exists, although Palo Alto Networks said it had **no evidence of in-the-wild exploitation** at the time of advisory publication. Exposure risk remains material given the large number of internet-facing Palo Alto Networks firewalls observed online (with Shadowserver tracking roughly **6,000** exposed devices) and ongoing scanning activity historically targeting exposed GlobalProtect endpoints; administrators should prioritize patching across affected PAN-OS and Prisma Access versions and validate whether GlobalProtect is enabled on externally reachable interfaces.
1 months ago
Critical Cisco Secure Email Gateway and PAN-OS Flaws Expose Perimeter Devices
Cisco disclosed a **critical vulnerability** in Secure Email Gateway appliances running affected `AsyncOS` versions when inbound mail rules use **File Analysis** (`Cisco AMP`) or **Content Filter** features and the bundled **Content Scanner Tools** are older than `23.3.0.4823`. Successful exploitation can let an attacker overwrite files at the operating-system level, enabling **root-level account creation**, configuration changes, arbitrary code execution, and denial of service. Cisco released software updates and said no alternative mitigations are available. Palo Alto Networks also issued fixes for a **serious PAN-OS management interface flaw** that allows an unauthenticated attacker to execute certain PHP scripts and affect the **integrity and confidentiality** of the firewall, though the vendor said it does not permit arbitrary remote code execution. Exploitation attempts have already been observed and proof-of-concept code is public, increasing urgency for exposed management interfaces. Palo Alto said **Cloud NGFW** and **Prisma Access** are not affected, while `PAN-OS 11.0` is out of support and will not receive a patch.
1 weeks ago