Palo Alto Networks Patches High-Risk PAN-OS Flaw That Lets Hackers Disable Firewalls

A serious DoS vulnerability (CVE-2026-0227) that could have allowed attackers to put PAN-OS firewalls into maintenance mode and disrupt networks for GlobalProtect and Prisma Access users globally has been fixed by the company.

Following the discovery of a high- severity vulnerability that could be used by attackers to launch a denial-of-service (DoS), Palo Alto Networks released patches for its PAN-OS firewall platform.

Customers using PAN-OS NGFW (Next-Generation Firewall) or Prisma Access configurations with the company's GlobalProtect remote access gateway or portal enabled are impacted by the vulnerability, which has been designated as CVE-2026-0227 with a CVSS 7.7 ('high') severity level.

According to the Palo Alto advice, if left unpatched, this might allow an unauthorized attacker to cause a denial of service attack on the firewall. The firewall goes into maintenance mode when this problem is repeatedly attempted.

Although the firm doesn't explain what would happen if a firewall went into maintenance mode, it's difficult to think it wouldn't because of network interruptions while administrators rushed to fix the problem.

The advice notes that the problem was discovered by Palo Alto Networks by an anonymous researcher and that proof of concept (PoC) code is available, despite Palo Alto Networks' claim that it was unaware of exploitation in the wild.

Palo Alto's statement that the problem is of "moderate urgency" seems hopeful because PoCs frequently leak out or are independently replicated. The almost identical Palo Alto Networks DoS bug from late 2024, CVE-2024-3393, which likewise forced impacted firewalls into maintenance mode, is reminiscent of this current vulnerability. It was a zero-day vulnerability since attackers discovered the problem before patches were released.

More recently, GlobalProtect and Cisco VPNs were the target of an increase in automated login attempts in December, according to threat intelligence firm GreyNoise. Earlier in 2025, PAN-OS was compromised by a significant zero-day vulnerability, CVE-2025-0108, which allowed attackers to get around login authentication.

Palo Alto Networks has revealed around 500 vulnerabilities to date, many of which impacted PAN-OS, according to the company's security advisory. A representative for the threat intelligence firm Flashpoint noted that a substantial minority had to do with DoS problems. However, a significant percentage of Palo Alto disclosures in the past – especially older PAN-OS issues – did not acquire CVE designations, which can make long-term vendor comparisons more difficult.