Palo Alto Networks has fixed a high-severity denial-of-service (DoS) vulnerability in its PAN-OS firewalls and Prisma Access configurations. The flaw, tracked as CVE-2026-0227, could allow unauthenticated attackers to repeatedly crash firewalls, forcing them into maintenance mode and disabling protections.
Vulnerability Details
- Affected products:
- Next-generation firewalls running PAN-OS 10.1+.
- Prisma Access configurations with GlobalProtect gateway/portal enabled.
- Impact:
- Attackers can trigger DoS without authentication.
- Repeated exploitation forces firewalls offline, disrupting security operations.
- Exposure: Shadowserver reports ~6,000 Palo Alto firewalls visible online, though patch status is unclear.
- Exploitation status: No evidence of active attacks yet.
Patch Guidance
Palo Alto released fixes across supported versions. Key upgrade paths include:
| Product | Affected Versions | Fixed Version |
|---|---|---|
| PAN-OS 12.1 | 12.1.0–12.1.3 | Upgrade to 12.1.4+ |
| PAN-OS 11.2 | 11.2.0–11.2.10 | Upgrade to 11.2.10-h2+ |
| PAN-OS 11.1 | 11.1.0–11.1.12 | Upgrade to 11.1.13+ |
| PAN-OS 10.2 | 10.2.0–10.2.18 | Upgrade to 10.2.18-h1+ |
| Prisma Access 11.2 | 11.2.x | Upgrade to 11.2.7-h8+ |
| Prisma Access 10.2 | 10.2.x | Upgrade to 10.2.10-h29+ |
| Cloud NGFW | All | No action needed |
Unsupported PAN-OS versions must be upgraded to a supported release.
Broader Context
- Past incidents:
- Nov 2024: Two PAN-OS zero-days exploited for root access.
- Dec 2024: CVE-2024-3393 DoS bug abused to reboot firewalls.
- Feb 2025: Multiple chained flaws (CVE-2025-0111, CVE-2025-0108, CVE-2024-9474) used in attacks.
- Recent activity: GreyNoise tracked 7,000+ IPs brute-forcing GlobalProtect portals, showing attackers actively target Palo Alto infrastructure.
Recommendations
- Immediate patching: Upgrade to fixed PAN-OS/Prisma Access versions.
- Exposure reduction: Limit external access to GlobalProtect portals and management interfaces.
- Monitoring: Watch for repeated firewall crashes or maintenance mode triggers.
- Incident readiness: Review past advisories—Palo Alto firewalls are frequent targets of zero-day exploitation.
Takeaway
CVE-2026-0227 underscores the criticality of patching firewall infrastructure quickly. Even without exploitation in the wild yet, Palo Alto firewalls remain high-value targets for attackers due to their widespread use across enterprises, governments, and financial institutions.
Leave a Reply