๐ŸŒ Network

PAN-OS GlobalProtect Denial-of-Service CVE-2026-0227 โ€” PoC Published, Firewalls Risk Forced Maintenance Mode

A proof-of-concept exploit has been published for CVE-2026-0227, a denial-of-service vulnerability in Palo Alto Networks PAN-OS affecting GlobalProtect gateways and portals. An unauthenticated remote attacker can crash the firewall into a mandatory maintenance mode by sending malformed requests to the GlobalProtect interface. Prisma Access deployments are also affected. Palo Alto has released patches; the PoC significantly elevates exploitation risk.

4 min read
#palo-alto#pan-os#globalprotect#cve-2026-0227#dos#firewall#prisma-access#poc

PoC Elevates Risk Significantly

CVE-2026-0227 was first disclosed by Palo Alto Networks in January 2026 as a denial-of-service vulnerability in PAN-OS affecting GlobalProtect gateways and portals. At time of disclosure, no exploit code was publicly available and Palo Alto stated it was not aware of malicious exploitation. That situation has changed โ€” a proof-of-concept exploit has now been published, lowering the barrier to exploitation and increasing the likelihood of automated scanning and targeting.

The existence of a PoC transforms a โ€œpatch when convenientโ€ vulnerability into a โ€œpatch nowโ€ situation. Commodity threat actors who could not previously develop their own exploits can now deploy pre-built tools against unpatched GlobalProtect endpoints.

How the Attack Works

GlobalProtect gateways and portals are the internet-facing components of Palo Altoโ€™s remote access VPN infrastructure. They receive connection requests from GlobalProtect VPN clients and process the initial authentication and tunnel setup.

CVE-2026-0227 is triggered by sending malformed requests to the GlobalProtect gateway or portal interface. The PAN-OS firewall fails to properly handle the malformed input, resulting in a crash of the GlobalProtect service. Repeated exploitation forces the firewall into a mandatory maintenance mode โ€” a recovery state that takes the device offline and requires administrator intervention to restore.

The attack requires no authentication, no prior access, and can be executed over the internet by any actor who can reach the GlobalProtect interface. A remote attacker can effectively disable an organisationโ€™s VPN gateway and โ€” if the firewall is also serving as the network perimeter โ€” interrupt all internet-dependent operations.

Affected Versions

CVE-2026-0227 affects PAN-OS 12.1, 11.2, 11.1, 10.2, and 10.1 across multiple sub-versions. Prisma Access versions 11.2 and 10.2 are also affected. Palo Alto has published fixed versions for all affected release lines โ€” refer to the CVE-2026-0227 security advisory for the specific fixed version per release line.

Impact on GlobalProtect-Dependent Organisations

For organisations that rely on GlobalProtect as their primary remote access solution, a successful DoS attack against the gateway is a business disruption event. Remote workers, branch offices, and partner access are all interrupted. In organisations where the PAN-OS firewall also serves as the internet perimeter, disruption extends beyond VPN access.

The specific concern with denial-of-service attacks against network access infrastructure is their potential use as a precursor or distraction:

  • Forced maintenance mode requires physical or out-of-band console access to restore โ€” potentially triggering an on-call incident response that creates other security oversights
  • Service disruption can be used to trigger failover to less-secure backup access paths if those exist
  • Repeated attacks can be used to drain administrator response capacity as part of a broader campaign

  1. Check your PAN-OS version against the CVE-2026-0227 advisory and apply the patch. Given the PoC is now public, treat any unpatched GlobalProtect-facing appliance as actively at risk.

  2. If patching cannot happen immediately, restrict the GlobalProtect portal/gateway to known client IP ranges using PAN-OS security policy. This does not eliminate the risk but reduces the population of potential attackers.

  3. Enable alerting on GlobalProtect service crashes. Configure your monitoring to alert on GlobalProtect service state changes and unexpected maintenance mode entries so you can distinguish deliberate attacks from legitimate hardware events.

  4. Review your recovery procedure for maintenance mode. Ensure your operations team knows how to restore a firewall from maintenance mode and that this process has been tested. In a DoS scenario, a slow recovery is itself a secondary impact.

  5. Assess whether Prisma Access is in scope. Organisations using Prisma Access rather than on-premises PAN-OS firewalls for GlobalProtect should confirm with Palo Alto whether their tenant is on a fixed version.