Palo Alto Networks has patched two denial-of-service vulnerabilities in PAN-OS that let unauthenticated attackers knock firewalls offline — no credentials required.
Two newly disclosed vulnerabilities in Palo Alto Networks' PAN-OS firewall software can knock enterprise firewalls completely offline — no login required. Patches are out now, and at least one flaw already has proof-of-concept code in the wild.
Palo Alto Networks disclosed two separate denial-of-service (DoS) flaws in PAN-OS within days of each other — and both share the same end result: an attacker forces the firewall into a continuous reboot cycle until it enters maintenance mode and stops functioning entirely.
The first, CVE-2026-0227 (CVSS 7.7 — High), affects PAN-OS Next-Generation Firewall and Prisma Access configurations with the GlobalProtect remote access gateway or portal enabled. An unauthenticated attacker on the network can send crafted packets to trigger repeated crashes. The flaw was reported by an outside researcher, and — notably — proof-of-concept code already exists. Palo Alto described the urgency as "moderate." Given that a PoC is floating around, that description is charitable.
The second, CVE-2026-0229 (CVSS 6.6 / CVSS-B 8.7 — Medium), hits the Advanced DNS Security (ADNS) feature specifically on deployments where the spyware profile is set to block, sinkhole, or alert traffic. This one was caught internally by a Palo Alto researcher. No PoC is public, and no active exploitation has been confirmed. But the mechanics are the same: malformed DNS packets, repeated crashes, maintenance mode.
Both flaws stem from improper handling of unusual or malformed input — the firewalls don't know what to do with the packets, so they panic and restart. Keep hitting them, and they stop coming back.
This isn't the first time PAN-OS has been here. A nearly identical flaw — CVE-2024-3393 — was exploited as a zero-day in late 2024 before patches were available. Same attack pattern, same maintenance mode outcome. That one made it into the wild first.
A firewall in maintenance mode is a firewall that isn't protecting anything. For organizations in healthcare, finance, or critical infrastructure — anywhere uptime is non-negotiable — that's a serious problem even if attackers don't go further than causing the outage.
Threat intelligence firm Flashpoint put it plainly: the risk here is resilience, not direct compromise. Modern firewalls are built to fail closed, not open, so entering maintenance mode doesn't automatically expose the network to intrusion. But it does create a blind spot. And the window between "firewall down" and "admin notices and fixes it" is exactly the kind of opportunity attackers look for.
CVE-2026-0227 is the more urgent of the two. The CVSS 7.7 score plus an existing PoC puts it in a different category than a theoretical flaw. In late 2025, GreyNoise also tracked a spike in automated login attempts against GlobalProtect — the same component this vulnerability affects. The attack surface is already being tested.
CVE-2026-0229 carries a lower base score, but the CVSS-B of 8.7 reflects real-world exposure. Organizations with ADNS enabled and active spyware policies should treat this as a near-term patching priority.
Patch now — that's the short version. Palo Alto has published detailed patch tables covering PAN-OS versions 10.2, 11.1, 11.2, and 12.1. Versions older than 10.2 are no longer supported; the only fix is migrating to a current, supported release.
For CVE-2026-0229 specifically, Cloud NGFW, Prisma Access, PAN-OS 11.1, and 10.2 are already safe. Most Prisma Access customers have been patched automatically, with a small number still in progress.
A few things worth doing right now:
There are no config-based workarounds for either vulnerability. Patching is the only real fix.
Given that the predecessor flaw was actively exploited before patches existed, waiting on these two isn't a bet worth making.
Half of all SIEM detection failures stem from log collection problems—here's how to fix them and improve your threat detection.
Learn the four phases of the incident response life cycle and discover proven best practices that help security teams detect, contain, and recover from cyber threats faster.
Traditional SIEMs overwhelm analysts with false positives, but AI-driven Digital Security Teammates cut noise by 70% and focus teams on real threats.