In a security advisory from Palo Alto Networks on Jan 15, 2026, the company said a high-severity denial-of-service flaw in GlobalProtect Gateway and Portal, tracked as CVE-2026-0227 with a CVSS score of 7.7, has a proof-of-concept exploit and was addressed by released security updates.
KEY FACTS
- Incident Denial-of-service vulnerability in GlobalProtect Gateway and Portal
- Identifier CVE-2026-0227, CVSS 7.7
- Impact Repeated triggers can force firewalls into maintenance mode
- Mitigation Security updates released, no workarounds
The flaw results from an improper check for exceptional conditions, classified as CWE-754, and can be triggered by an unauthenticated actor to cause a denial-of-service that places the firewall into maintenance mode after repeated attempts.
Multiple PAN-OS and Prisma Access builds are affected across PAN-OS 10.1 through 12.1 families. Affected builds include PAN-OS 12.1 prior to 12.1.3-h3 and 12.1.4, several 11.2 and 11.1 maintenance releases, and multiple 10.2 and 10.1 releases as detailed in the advisory.
The issue applies only to NGFW or Prisma Access configurations with an enabled GlobalProtect gateway or portal. Cloud Next-Generation Firewall is not impacted. There are no workarounds. An unnamed external researcher discovered the issue. While there is no evidence of active exploitation, exposed GlobalProtect gateways have seen repeated scanning activity over the past year.
WHY IT MATTERS
Administrators should apply the provided updates promptly because an unauthenticated actor can cause denial-of-service at exposed GlobalProtect endpoints and a proof-of-concept exists.