PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway and Portal

Plan Patch8.7CVE-2026-0227Jan 14, 2026

Palo Alto Networks

IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries

Summary

A vulnerability in Palo Alto Networks PAN-OS and Prisma Access enables an unauthenticated attacker to cause a denial of service (DoS) to the GlobalProtect Gateway and Portal components. Repeated attempts to trigger this issue force the firewall into maintenance mode, requiring manual recovery and blocking all network traffic through that device.

What this means

What could happen

An unauthenticated attacker can repeatedly crash the GlobalProtect Gateway or Portal component, forcing the firewall into maintenance mode and blocking all network traffic through that device until it is manually recovered.

Who's at risk

Organizations using Palo Alto Networks PAN-OS firewalls or Prisma Access cloud-based security service for remote access and VPN connectivity. This affects both on-premises firewalls and cloud-hosted security infrastructure that rely on GlobalProtect for employee remote connectivity.

How it could be exploited

An attacker sends specially crafted requests to the GlobalProtect Gateway or Portal endpoint (typically exposed on the internet). No credentials are required. Repeated exploitation causes the firewall process to crash and enter maintenance mode, requiring manual intervention to restore normal operations.

Prerequisites

Network reachability to GlobalProtect Gateway or Portal public IP address or hostname
No authentication required

remotely exploitableno authentication requiredcauses service denialaffects remote access infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

PAN-OSBelow 12.1.3-h312.1.3-h3+

PAN-OSBelow 12.1.412.1.4+

Prisma AccessBelow 11.2.4-h1511.2.4-h15+

Prisma AccessBelow 11.2.7-h811.2.7-h8+

Prisma AccessBelow 11.2.10-h211.2.10-h2+

Remediation & Mitigation

0/7

Do now

0/2

HARDENINGImplement network access controls to restrict connections to GlobalProtect Gateway or Portal to known trusted users and IP ranges

HARDENINGMonitor firewall logs for repeated connection attempts or errors on GlobalProtect endpoints and alert on anomalies

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

PAN-OS

HOTFIXUpdate PAN-OS to version 12.1.3-h3 or later

HOTFIXUpdate PAN-OS to version 12.1.4 or later

Prisma Access

HOTFIXUpdate Prisma Access to version 11.2.4-h15 or later

HOTFIXUpdate Prisma Access to version 11.2.7-h8 or later

HOTFIXUpdate Prisma Access to version 11.2.10-h2 or later

CVEs (1)

CVE-2026-0227

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4e7eed0a-67ff-4aa1-bc29-e6b527ad6db2

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.