“`html
Palo Alto Networks has resolved a significant denial-of-service vulnerability within its PAN-OS firewall software, recorded as CVE-2026-0227, permitting unauthenticated aggressors to interrupt GlobalProtect gateways and portals.
This issue holds a CVSS v4.0 base score of 7.7 (HIGH severity), resulting from inadequate checks for atypical conditions that prompt firewalls into maintenance mode following multiple exploitation attempts.
Disclosed on January 14, 2026, this concern influences various PAN-OS versions but does not affect Cloud NGFW whatsoever.
Palo Alto Networks Firewall Vulnerability
Aggressors can exploit this through the network with minimal complexity, no privileges, and no user interaction necessary, rendering it automatable and quite achievable.
This vulnerability correlates with CWE-754 (Improper Check for Unusual or Exceptional Conditions) and CAPEC-210 (Abuse Existing Functionality), severely impacting product availability while leaving confidentiality and integrity intact.
Palo Alto indicates that proof-of-concept code is available (Exploit Maturity: POC), though no active malicious exploitation has been reported. The exposure necessitates GlobalProtect gateway or portal activation on PAN-OS next-generation firewalls (NGFW) or Prisma Access, commonly found in remote access configurations.
This vulnerability impacts both legacy and current PAN-OS branches, with a detailed list of affected and unaffected versions provided below.
| Product | Affected Versions | Unaffected Versions |
|---|---|---|
| PAN-OS 12.1 | < 12.1.3-h3, < 12.1.4 | >= 12.1.3-h3, >= 12.1.4 |
| PAN-OS 11.2 | < 11.2.4-h15, < 11.2.7-h8, < 11.2.10-h2 | >= 11.2.4-h15 (ETA: 1/14/2026), >= 11.2.7-h8, >= 11.2.10-h2 |
| PAN-OS 11.1 | < 11.1.4-h27, < 11.1.6-h23, < 11.1.10-h9, < 11.1.13 | >= 11.1.4-h27, >= 11.1.6-h23, >= 11.1.10-h9, >= 11.1.13 |
| PAN-OS 10.2 | < 10.2.7-h32, < 10.2.10-h30, < 10.2.13-h18, < 10.2.16-h6, < 10.2.18-h1 | >= 10.2.7-h32, >= 10.2.10-h30, >= 10.2.13-h18, >= 10.2.16-h6, >= 10.2.18-h1 |
| PAN-OS 10.1 | < 10.1.14-h20 | >= 10.1.14-h20 |
| Prisma Access 11.2 | < 11.2.7-h8* | >= 11.2.7-h8* |
| Prisma Access 10.2 | < 10.2.10-h29* | >= 10.2.10-h29* |
Administrators must upgrade without delay, as no alternatives are present, and response efforts are moderate with user-led recovery. Recommended actions include transitioning to the latest hotfixes such as PAN-OS 12.1.4 or 11.2.10-h2.
An external researcher has been credited for the disclosure. Discussions within the community indicate recent scanning activity potentially probing this vulnerability. Organizations should confirm configurations via Palo Alto’s support portal and keep an eye on DoS attempts while the POC remains accessible.
“`