Palo Alto Networks Patches PAN-OS Bug That Can Disrupt GlobalProtect

A Palo Alto Networks firewall vulnerability could let attackers disrupt remote access for organizations that depend on GlobalProtect, potentially pushing affected systems into maintenance mode and interrupting service.

The flaw in PAN-OS that can be exploited by unauthenticated attackers over the network against GlobalProtect gateways and portals. 

The vulnerability “… enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall. Repeated attempts to trigger this issue results in the firewall entering into maintenance mode,” said Palo Alto Networks in its advisory. 

GlobalProtect DoS Risk Explained

CVE-2026-0227 impacts PAN-OS firewalls and Prisma Access systems running GlobalProtect portals or gateways, putting remote access deployments most at risk.  

Palo Alto Networks confirmed the issue spans multiple PAN-OS release trains, including both current and older branches, making version verification and patch planning important across mixed environments. 

Notably, Cloud NGFW is not affected, which limits risk for customers using that cloud-delivered platform.

The vulnerability is a denial-of-service (DoS) flaw that can be triggered remotely by an unauthenticated attacker over the network. 

Palo Alto rated the flaw 7.7 (HIGH) because it can disrupt GlobalProtect portals and gateways and potentially force systems into recovery after repeated attacks. 

The issue is caused by improper handling of unusual or exceptional conditions, which can lead to unstable behavior when the service receives malformed traffic or repeated abnormal requests. 

In practical terms, exploitation is straightforward: it can be triggered remotely over the network without authentication, privileges, or user interaction, making it feasible to automate against exposed GlobalProtect interfaces. 

Palo Alto Networks also aligns the activity with CAPEC-210 (Abuse Existing Functionality), since attackers may repeatedly invoke normal request paths in ways the system does not handle reliably under edge conditions. 

While proof-of-concept (PoC) exploit code exists, there are no reports of exploitation in the wild and a patch has been released for the vulnerability.

Reducing Risk From Remote DoS Attacks

Because the flaw can be triggered remotely without authentication, internet-facing portals and gateways should be treated as the highest risk. 

The actions below focus on fast remediation, limiting attack surface, and improving resilience if disruption occurs.

• Patch affected PAN-OS and Prisma Access systems to the fixed releases for your branch, prioritizing the latest hotfix versions.
• Prioritize internet-facing GlobalProtect portals and gateways first, since exploitation is remote, unauthenticated, and easy to automate.
• Reduce GlobalProtect exposure by disabling unused portals and gateways and restricting access using IP allowlists or trusted network ranges.
• Add upstream protection such as DDoS mitigation and connection rate limiting to reduce the impact of repeated attack traffic.
• Monitor GlobalProtect and firewall health for abnormal traffic spikes, repeated connection attempts, and signs of instability or maintenance mode events.
• Prepare operational recovery steps by validating failover options, maintaining out-of-band access, and testing incident response plans.

Combined, these steps reduce the blast radius of disruption attempts and keep remote access recoverable.

Remote Access Downtime Risk

This vulnerability is a reminder that remote access services like GlobalProtect remain a high-value target, and even availability-only flaws can create meaningful operational disruption if left unpatched. 

With proof-of-concept code available and exploitation requiring no authentication, organizations should move quickly to validate exposure, apply fixed releases, and prioritize internet-facing gateways and portals. 

To reduce this kind of exposure long term, teams are turning to zero-trust strategies that limit implicit access and help shrink the blast radius of remote access threats.