Palo Alto Networks Patches DoS Bug That Lets Hackers Disable Firewalls
Palo Alto Networks patches CVE-2026-0227, a high-severity DoS flaw in PAN-OS that lets unauthenticated attackers push firewalls into maintenance mode. Nearly 6,000 devices are exposed online.
Palo Alto Networks has patched CVE-2026-0227, a high-severity denial-of-service vulnerability in PAN-OS that lets unauthenticated attackers knock firewalls offline. Repeated exploitation pushes affected devices into maintenance mode, effectively disabling all firewall protections.
What is affected
The flaw hits next-generation firewalls running PAN-OS 10.1 and later, plus Prisma Access configurations with GlobalProtect gateway or portal enabled. That covers a large chunk of Palo Alto's enterprise install base.
Shadowserver currently tracks nearly 6,000 Palo Alto firewalls exposed to the internet. How many of those have vulnerable configurations is unknown, but the attack surface is not small.
Patches available
Palo Alto has released fixes across all affected PAN-OS versions. Cloud NGFW customers need no action. For on-prem deployments, the upgrade matrix spans PAN-OS 10.2 through 12.1. Most cloud-based Prisma Access instances are already patched, with remaining customers scheduled through the standard upgrade process.
At the time of disclosure, Palo Alto said there was no evidence of active exploitation. That does not mean much. Palo Alto firewalls are a recurring target. In November 2024, two zero-days were chained to gain root access, and in December 2024, another DoS flaw (CVE-2024-3393) was actively exploited in the wild.
WAFplanet take
This is another reminder that network firewalls are not set-and-forget infrastructure. A DoS vulnerability in a firewall is particularly nasty because the device meant to protect you becomes the single point of failure.
For organizations running Palo Alto alongside cloud WAFs like Cloudflare or AWS WAF, this is less catastrophic. Layered security means one component going down does not leave you fully exposed. But if your Palo Alto firewall is the only thing between your application and the internet, patch now.
The pattern of recurring Palo Alto vulnerabilities also raises a broader question. When your firewall vendor ships critical patches quarterly, your patching process needs to match that cadence. Alternatives like F5 Advanced WAF and FortiWeb have their own patch cycles, but the frequency of high-severity Palo Alto bugs is notable.
