Summary
CVE-2026-0227 is a medium-severity issue in PAN-OS (10.2, 11.2, 12.1) with GlobalProtect enabled. A remote attacker can trigger maintenance mode, stopping traffic and VPN access until reboot. Cloud NGFW is not affected. Upgrade to 12.1.4+, 11.2.10-h2+, or 10.2.18-h1+.
Urgent Actions Required
- Disable GlobalProtect if not needed
- Upgrade PAN-OS to 12.1.4+, 11.2.10-h2+, or 10.2.18-h1+
- Update Prisma Access to 11.2.7-h8+ or 10.2.10-h29 / 10.2.4-h43+
- Ensure console or out-of-band access is available for recovery
- Monitor firewall logs for repeated authd or gpsvc process restarts, indicating attempted DoS exploitation
Which Systems Are Vulnerable to CVE-2026-0227?
Technical Overview
- Vulnerability Type: Unauthenticated Denial of Service (DoS) via GlobalProtect Gateway/Portal
- Affected Software/Versions:
- PAN-OS 12.1: versions prior to 12.1.4 or 12.1.3-h3
- PAN-OS 11.2: versions prior to 11.2.10-h2 or 11.2.7-h8
- PAN-OS 10.2: versions prior to 10.2.18-h1, 10.2.16-h6, 10.2.13-h18, 10.2.10-h30, or 10.2.7-h32
- Prisma Access 11.2: versions prior to 11.2.7-h8
- Prisma Access 10.2: versions prior to 10.2.10-h29 or 10.2.4-h43
- Attack Vector: Network (unauthenticated, remote)
- CVSS Vector: v4.0
- Attack Vector (AV): Network
- Attack Complexity (AC): Low
- Attack Requirements (AT): None
- Privileges Required (PR): None
- User Interaction (UI): None
- Vulnerable System Confidentiality (VC): None
- Vulnerable System Integrity (VI): None
- Vulnerable System Availability (VA): High
- Subsequent System Confidentiality (SC): None
- Subsequent System Integrity (SI): None
- Subsequent System Availability (SA): None
- Automatable (AU): Yes
- Recovery (R): User
- Value Density (V): Diffuse
- Vulnerability Response Effort (RE): Moderate
- Provider Urgency (U): Amber
- Exploit Maturity (E): Unreported
- Patch Availability: Yes, available
CVE-2026-0227 PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway and Portal
How Does the CVE-2026-0227 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2026-0227?
Vulnerability Root Cause:
Improper handling of forged requests in GlobalProtect on PAN-OS and Prisma Access is the root cause of CVE-2026-0227, which enables a remote attacker to interrupt availability and create a denial-of-service (DoS).
How Can You Mitigate CVE-2026-0227?
If immediate patching is delayed or not possible:
- Only trustworthy networks should be able to access the GlobalProtect Portal and Gateway interfaces
- To lessen the attack surface, use firewall policies to limit incoming access
- Monitor GlobalProtect services for instability or unexpected outages
- When a service outage occurs, make sure that high availability (HA) settings are configured appropriately to lessen the impact on operations
Which Assets and Systems Are at Risk?
- Asset Types Affected:
- PAN-OS Firewalls – Devices running affected versions where the GlobalProtect Gateway or Portal is enabled
- Prisma Access Deployments – Instances utilizing the GlobalProtect service components
- GlobalProtect Portal and Gateway Interfaces – The specific services exposed for remote access connectivity
- Business-Critical Systems at Risk:
- Remote Access Infrastructure – Organizations relying on GlobalProtect for secure remote connectivity
- User VPN Services – Environments where availability of the Portal or Gateway is essential for workforce access
- Perimeter Security Appliances – Firewalls providing secure access that may experience service disruption
- Exposure Level:
- Internet-Exposed GlobalProtect Interfaces – Particularly where the Portal or Gateway is accessible from external networks
- Externally Reachable Prisma Access Services – Deployments allowing inbound connections to affected components
Will Patching CVE-2026-0227 Cause Downtime?
Patch application impact: Low to Moderate. Upgrade PAN-OS and Prisma Access to the fixed versions. If GlobalProtect availability is crucial, schedule maintenance as it may involve a restart and brief outage.
Mitigation (if immediate patching is not possible): Minimize the GlobalProtect Portal and Gateway’s online visibility. Only permit access from reliable sources. Monitor for disruptions and enable high availability. Unpatched systems remain vulnerable to DoS until updated.
References:
