PAN-OS: Denial of Service (DoS) in Tunnel Traffic Processing
MonitorCVSS 6.9CVE-2026-0269Jun 10, 2026
Palo Alto NetworksTransportation
IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries
Summary
A memory corruption vulnerability in PAN-OS tunnel traffic processing allows an authenticated user to craft packets that trigger firewall reboots. Repeated exploitation forces the firewall into maintenance mode, blocking network traffic. The vulnerability affects PAN-OS versions below 12.1.4-h5 or 12.1.5, and multiple versions of Panorama and Prisma Access. Cloud NGFW and some Panorama deployments are not affected.
What this means
What could happen
An authenticated user could send specially crafted tunnel traffic to force the firewall to reboot, causing network outages. Repeated attacks could leave the firewall stuck in maintenance mode, interrupting traffic flow until manual recovery.
Who's at risk
Transportation facilities and other organizations using Palo Alto Networks PAN-OS firewalls, particularly those with active IPSec tunnels, SSL VPN, or other tunnel-based remote access configurations. Affected models include all PAN-OS versions below the patched releases.
How it could be exploited
An attacker with network access to the firewall's tunnel interfaces sends a maliciously crafted packet that triggers a memory corruption flaw in tunnel processing. The firewall reboots. Repeated packets force it into maintenance mode, breaking network connectivity for all downstream traffic.
Prerequisites
- Network access to firewall tunnel interfaces (IPSec, SSL VPN, or similar)
- Authentication credentials for the firewall (if required by tunnel configuration)
remotely exploitableauthentication requiredcauses denial of servicefirewall maintenance mode could extend outage
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (9)
9 with fix
ProductAffected VersionsFix Status
PAN-OSBelow 12.1.4-h512.1.4-h5+
PAN-OSBelow 12.1.512.1.5+
PanoramaBelow 11.2.4-h1711.2.4-h17+
PanoramaBelow 11.2.7-h411.2.7-h4+
PanoramaBelow 11.2.1011.2.10+
Prisma AccessBelow 11.1.4-h3311.1.4-h33+
Prisma AccessBelow 11.1.6-h2111.1.6-h21+
Prisma AccessBelow 11.1.10-h711.1.10-h7+
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDRestrict network access to firewall tunnel interfaces to trusted IP addresses and networks only
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
PAN-OS
HOTFIXUpdate PAN-OS to version 12.1.4-h5 or later (for 12.1.x branch) or 12.1.5 or later (for newer branches)
Panorama
HOTFIXUpdate Panorama management to version 11.2.4-h17 or later (for 11.2.4 branch), 11.2.7-h4 or later (for 11.2.7 branch), or 11.2.10 or later (for 11.2 branch)
Prisma Access
HOTFIXUpdate Prisma Access to version 11.1.4-h33 or later (for 11.1.4 branch), 11.1.6-h21 or later (for 11.1.6 branch), 11.1.10-h7 or later (for 11.1.10 branch), or 11.1.12 or later (for 11.1 branch)
Long-term hardening
0/1HARDENINGDisable unused tunnel protocols (IPSec, SSL VPN) if not required for operations
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/60056276-bd93-4f7f-95d4-212a20bdd7f0Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.