A newly disclosed security flaw in Palo Alto Networks’ PAN-OS software has raised concerns for organisations relying on remote access firewalls, after researchers confirmed it can be exploited to trigger denial-of-service (DoS) conditions.
Tracked as CVE-2026-0227, the vulnerability allows unauthenticated attackers to remotely disrupt GlobalProtect gateways and portals. The issue carries a CVSS v4.0 base score of 7.7, placing it in the high severity category. It was officially published on 01/14/2026.
The flaw is caused by improper handling of unusual or exceptional conditions. When repeatedly exploited, it can force affected firewalls into maintenance mode, leading to service disruption. While confidentiality and integrity are not impacted, availability is significantly affected.
Attackers can exploit the weakness over the network, with low attack complexity, no privileges, and no user interaction, making the attack highly feasible and automatable. The issue aligns with CWE-754 (Improper Check for Unusual or Exceptional Conditions) and CAPEC-210 (Abuse of Existing Functionality).
Palo Alto Networks confirmed that proof-of-concept (PoC) code exists, though it noted that no active malicious exploitation has been detected so far. Exposure occurs only when GlobalProtect gateways or portals are enabled on PAN-OS next-generation firewalls or Prisma Access, a common setup in remote access environments. Cloud NGFW is not affected.
The vulnerability impacts multiple legacy and current PAN-OS branches. Fixed versions have been released across supported releases, including PAN-OS 12.1.4, 11.2.10-h2, 11.1.13, 10.2.18-h1, and 10.1.14-h20, along with corresponding Prisma Access updates. Administrators are advised to review detailed version mappings and upgrade immediately.
Palo Alto Networks stated there are no workarounds for this issue. Recovery requires user-led action, and the overall response effort is rated moderate. An external researcher has been credited for responsibly reporting the flaw.
Security community discussions point to recent scanning activity that may be probing for this vulnerability. Organisations are urged to verify their firewall configurations through official support channels and closely monitor for signs of DoS attempts while PoC code remains available.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
