CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

High-Severity DoS Vulnerability in Palo Alto Networks Firewalls

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Palo Alto Networks has patched a high-severity DoS vulnerability (CVE-2026-0227) affecting PAN-OS firewalls (versions 10.1 and later) and Prisma Access configurations with GlobalProtect enabled. The flaw allows unauthenticated attackers to disable firewall protections through repeated DoS attacks, forcing the firewall into maintenance mode. A proof-of-concept (PoC) exploit exists, and the vulnerability arises from an improper check for exceptional conditions (CWE-754). Most cloud-based Prisma Access instances have been patched, but some remain in progress. No evidence of exploitation has been found yet. Palo Alto Networks has released security updates for all affected versions, advising admins to upgrade to the latest releases. The vulnerability highlights the ongoing targeting of Palo Alto firewalls, which have been frequently exploited in recent attacks.

Timeline

  1. 15.01.2026 11:02 2 articles · 10h ago

    Palo Alto Networks Patches High-Severity DoS Vulnerability in Firewalls

    Palo Alto Networks has patched a high-severity DoS vulnerability (CVE-2026-0227) affecting PAN-OS firewalls and Prisma Access configurations. The flaw allows unauthenticated attackers to disable firewall protections. Most cloud-based Prisma Access instances have been patched, with remaining customers scheduled for upgrades. No evidence of exploitation has been found yet. Security updates have been released for all affected versions, and admins are advised to upgrade immediately. The vulnerability arises from an improper check for exceptional conditions (CWE-754). A proof-of-concept (PoC) exploit exists, and there are no workarounds to mitigate the flaw.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Active Exploitation of Critical WatchGuard Fireware OS VPN Vulnerability (CVE-2025-14733)

WatchGuard has released patches for a critical out-of-bounds write vulnerability (CVE-2025-14733, CVSS 9.3) in Fireware OS, which is being actively exploited in the wild. The flaw affects the iked process and could allow remote unauthenticated attackers to execute arbitrary code. The vulnerability impacts various versions of Fireware OS, including 2025.1, 12.x, 12.5.x, and 12.3.1, while versions 11.x are end-of-life. WatchGuard has observed active exploitation attempts from several IP addresses, some of which are linked to recent Fortinet vulnerabilities. The company has provided indicators of compromise (IoCs) and temporary mitigation steps for affected devices.

Open in new tab

Eighth Chrome Zero-Day Vulnerability Patched in 2025

Google has released an emergency update to fix a high-severity zero-day vulnerability (466192044) in Chrome, marking the eighth such flaw exploited in attacks in 2025. The vulnerability, a buffer overflow in the ANGLE's Metal renderer, affects Chrome versions for Windows, macOS, and Linux. Google has not disclosed further details, including the CVE ID, as the issue remains under coordination. The flaw could lead to memory corruption, crashes, sensitive information leaks, and arbitrary code execution. Users are advised to update their browsers to versions 143.0.7499.109 for Windows and Linux, and 143.0.7499.110 for macOS. This update also addresses two additional medium-severity vulnerabilities (CVE-2025-14372 and CVE-2025-14373). Additionally, Google has released patches for three new Chrome zero-day vulnerabilities, including a high-severity one for which an exploit is accessible in the wild. The high-severity zero-day is referred to only by Google’s internal tracker ID, 466192044, with no CVE attributed at this stage. The status of the vulnerability is marked as 'Under coordination.' Access to the details of a vulnerability may be kept restricted until a majority of users are updated with a fix.

Open in new tab

SOAPwn Vulnerability in .NET Framework Enables Remote Code Execution

A critical vulnerability, codenamed SOAPwn, in the .NET Framework allows attackers to achieve remote code execution by manipulating Web Services Description Language (WSDL) imports and HTTP client proxies. The flaw impacts multiple enterprise applications, including Barracuda Service Center RMM, Ivanti Endpoint Manager (EPM), and Umbraco 8. Exploiting SOAPwn can lead to arbitrary file writes and NTLM relay attacks. Microsoft has declined to patch the issue, attributing it to application behavior. The vulnerability was disclosed at the Black Hat Europe security conference by WatchTowr Labs researcher Piotr Bazydlo. Affected vendors have released patches to address the flaw.

Open in new tab

Microsoft December 2025 Patch Tuesday addresses 3 zero-days, 56 flaws

Microsoft's December 2025 Patch Tuesday addresses 56 vulnerabilities, including three zero-days. One zero-day (CVE-2025-62221) is actively exploited, allowing privilege escalation in Windows Cloud Files Mini Filter Driver. Two other zero-days (CVE-2025-64671, CVE-2025-54100) are publicly disclosed, affecting GitHub Copilot for JetBrains and PowerShell. The updates also fix 3 critical remote code execution vulnerabilities. Additionally, Microsoft released the KB5071546 extended security update for Windows 10 Enterprise LTSC and ESU program participants, addressing the same vulnerabilities and updating Windows 10 to build 19045.6691 and Windows 10 Enterprise LTSC 2021 to build 19044.6691. The update includes a fix for CVE-2025-54100, a remote code execution zero-day vulnerability in PowerShell, and introduces a confirmation prompt with a security warning for script execution risk when using the Invoke-WebRequest command in PowerShell 5.1. Microsoft patched a total of 1,275 CVEs in 2025, according to data compiled by Fortra. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-62221 to the Known Exploited Vulnerabilities (KEV) catalog, mandating FCEB agencies to apply the patch by December 30, 2025. The remaining two zero-days, CVE-2025-54100 and CVE-2025-64671, are part of a broader set of security vulnerabilities collectively named IDEsaster, affecting multiple AI coding platforms.

Open in new tab

Critical OS Command Injection Vulnerability in FortiSIEM (CVE-2025-64155) Exploited in the Wild

Fortinet has disclosed a critical OS command injection vulnerability in FortiSIEM, identified as CVE-2025-64155. The flaw, with a CVSS score of 9.4, allows unauthenticated attackers to execute unauthorized code or commands via crafted TCP requests. The vulnerability affects Super and Worker nodes in FortiSIEM versions 6.7.0 through 6.7.10, 7.0.0 through 7.0.4, 7.1.0 through 7.1.8, 7.2.0 through 7.2.6, 7.3.0 through 7.3.4, and 7.4.0. The flaw involves an unauthenticated argument injection vulnerability leading to arbitrary file write and a file overwrite privilege escalation vulnerability leading to root access. Fortinet advises upgrading to the latest versions and limiting access to the phMonitor port (7900) as a workaround. Additionally, a Fortinet FortiWeb path traversal vulnerability is being actively exploited to create new administrative users on exposed devices without requiring authentication. The vulnerability was silently patched in FortiWeb version 8.0.2. The exploitation activity was first detected early last month, and Fortinet has not assigned a CVE identifier or published an advisory on its PSIRT feed. Rapid7 observed an alleged zero-day exploit targeting FortiWeb was published for sale on a popular black hat forum on November 6, 2025. The watchTowr team has released an artifact generator tool for the authentication bypass to help identify susceptible devices.

Open in new tab