Palo Alto Networks has released security patches to address a high-severity denial-of-service vulnerability in its PAN-OS firewall software that enables unauthenticated attackers to disrupt critical network infrastructure components.
flaw, tracked as CVE-2026-0227, specifically impacts GlobalProtect gateway and portal deployments widely used for remote access across enterprise environments.
The vulnerability carries a CVSS v4.0 base score of 7.7, classified as HIGH severity, with an elevated base score of 8.7 when environmental factors are considered.
Disclosed on January 14, 2026, the security issue stems from improper validation of unusual or exceptional conditions within the firewall software, allowing threat actors to force affected systems into maintenance mode through repeated exploitation attempts.
Attack Vector and Exploitation Characteristics
Security researchers have confirmed that CVE-2026-0227 can be exploited remotely over the network with low attack complexity, requiring neither authentication credentials nor user interaction.
This combination of factors makes the vulnerability particularly concerning for security teams, as automated exploitation tools could rapidly target exposed systems at scale.
The flaw aligns with CWE-754 (Improper Check for Unusual or Exceptional Conditions) and CAPEC-210 (Abuse Existing Functionality) in the Common Weakness Enumeration framework.
While the vulnerability severely impacts system availability by forcing firewalls offline, it does not compromise data confidentiality or integrity, limiting the attack scope to service disruption rather than data exfiltration.
Palo Alto Networks has acknowledged that proof-of-concept code demonstrating the exploitation technique exists in the security research community.
However, the company’s Product Security Incident Response Team (PSIRT) reports no evidence of active malicious exploitation in the wild as of the advisory publication date.
Security analysts have noted scanning activity that may indicate adversaries probing for vulnerable systems.
The vulnerability affects only PAN-OS next-generation firewall deployments and Prisma Access configurations with a GlobalProtect gateway or portal enabled.
Cloud NGFW customers remain unaffected by this security issue and require no remediation.
Multiple PAN-OS release branches contain the vulnerability, spanning legacy versions through current releases.
The affected software versions include PAN-OS 12.1 releases prior to 12.1.3-h3 and 12.1.4; PAN-OS 11.2 versions before 11.2.4-h15, 11.2.7-h8, and 11.2.10-h2; and numerous hotfix releases across the 11.1, 10.2, and 10.1 branches.
Prisma Access deployments running versions below 11.2.7-h8 and 10.2.10-h29 also require immediate attention.
| Product | Affected Versions | Patched Versions |
|---|---|---|
| PAN-OS 12.1 | < 12.1.3-h3, < 12.1.4 | >= 12.1.3-h3, >= 12.1.4 |
| PAN-OS 11.2 | < 11.2.4-h15, < 11.2.7-h8, < 11.2.10-h2 | >= 11.2.4-h15, >= 11.2.7-h8, >= 11.2.10-h2 |
| PAN-OS 11.1 | < 11.1.4-h27, < 11.1.6-h23, < 11.1.10-h9, < 11.1.13 | >= 11.1.4-h27, >= 11.1.6-h23, >= 11.1.10-h9, >= 11.1.13 |
| PAN-OS 10.2 | < 10.2.7-h32, < 10.2.10-h30, < 10.2.13-h18, < 10.2.16-h6, < 10.2.18-h1 | >= 10.2.7-h32, >= 10.2.10-h30, >= 10.2.13-h18, >= 10.2.16-h6, >= 10.2.18-h1 |
| Prisma Access 11.2 | < 11.2.7-h8 | >= 11.2.7-h8 |
Palo Alto Networks has classified the remediation urgency as MODERATE despite the HIGH severity rating, with recovery efforts requiring user-led intervention.
Organizations running affected versions should prioritize upgrading to patched releases immediately, as no workaround configurations or temporary mitigation measures exist to reduce exposure risk.
For PAN-OS 12.1 customers, upgrading to version 12.1.4 or later provides complete protection.
Organizations running PAN-OS 11.2 systems should deploy hotfix 11.2.10-h2 or later versions, while legacy branch users must transition to the appropriate hotfixes based on their current minor release.
Prisma Access customers benefit from automated upgrade scheduling through Palo Alto Networks’ standard deployment process, with most environments already patched.
Security teams should verify their GlobalProtect configurations via the Palo Alto Networks customer support portal and monitor for unusual firewall behavior or unexpected maintenance-mode activations.
Organizations unable to apply patches immediately should consider temporarily disabling GlobalProtect functionality, if operationally feasible, though this approach may disrupt remote access for distributed workforces.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
