Keepnet – AI-powered human risk management platform logo
Menu
HOME > blog > palo alto networks devices running the pan os could allow attacker to launch dos attack

CVE-2022-0028: PAN-OS DoS Vulnerability in Palo Alto Firewalls and Lessons for 2026

Palo Alto Networks PAN-OS vulnerability CVE-2022-0028 (CVSS score 8.6) could lead to a mirrored, amplified TCP DoS attack. Learn which versions are affected and how to mitigate the risk.

High-Risk DoS Vulnerability (CVE-2022-0028) in Palo Alto PAN-OS Firewall

Critical DoS Vulnerability (CVE-2022-0028) in Palo Alto Networks PAN-OS Firewall

A serious denial of service (DoS) vulnerability impacting Palo Alto Networks devices with a CVSS score of 8.6 (CVE-2022-0028) is creating potential security risks. Affecting hardware, virtual, and containerized firewall series (PA, VM, and CN), this flaw stems from an incorrect setting in PAN-OS URL filtering policies that can allow network based attackers to launch mirrored and amplified TCP DoS attacks.

The PAN-OS DoS vulnerability does not compromise confidentiality, integrity, or availability of Palo Alto's devices directly. However, it poses a high risk as it enables attackers to mask their identity by making the firewall appear as the origin of the attack, which can obscure the attack’s true source and significantly impede incident response and threat attribution efforts.

Which PAN-OS Versions Are Vulnerable to CVE-2022-0028?

The CVE-2022-0028 vulnerability impacts Palo Alto Networks PAN-OS versions, as listed below, with updates made available by Palo Alto on August 15, 2022. The affected PAN-OS versions are as follows:

  • PAN-OS 10.2: <10.2.2-h2 (Patched in version 10.2.2-h2)
  • PAN-OS 10.1: <10.1.6-h6 (Patched in version 10.1.6-h6)
  • PAN-OS 10.0: <10.0.11-h1 (Patched in version 10.0.11-h1)
  • PAN-OS 9.1: <9.1.14-h4 (Patched in version 9.1.14-h4)
  • PAN-OS 9.0: <9.0.16-h3 (Patched in version 9.0.16-h3)
  • PAN-OS 8.1: <8.1.23-h1 (Patched in version 8.1.23-h1)

Understanding the Nature of CVE-2022-0028 and the Risks

This DoS vulnerability is unusual because it originates from a URL filtering policy misconfiguration within PAN-OS. When URL filtering is improperly configured, the firewall can inadvertently process TCP requests in such a way that it mirrors and amplifies traffic against a designated target.

Palo Alto Networks Recommendations and Mitigation Steps

To protect against this vulnerability, The vendor recommends users update to the latest PAN-OS patches. The patches that address CVE-2022-0028 specifically adjust URL filtering settings to prevent the conditions that allow a mirrored TCP DoS attack.

For PAN-OS users, Palo Alto provides the following immediate steps for mitigation:

  1. Update PAN-OS Versions: Upgrading to the patched PAN-OS versions listed above will close the vulnerability.
  2. Review URL Filtering Policies: Ensure URL filtering policies are configured securely and appropriately. Regular audits can help identify potential misconfigurations that could lead to similar issues.
  3. Use Threat Intelligence and Monitoring Tools: Leverage threat intelligence to monitor for signs of unusual firewall activity that could indicate abuse by attackers. Tracking atypical traffic patterns can help you quickly detect any attempts to exploit vulnerabilities within firewall configurations.

In particular, this vulnerability allows attackers to use the PAN-OS firewall itself as part of the attack. By doing so, they can point the TCP DoS attack toward a specified target while using the Palo Alto device to amplify and reflect this malicious traffic. This not only masks the true origin but also implicates the firewall itself as the source, creating confusion for security response teams.

For those managing high stakes or highly exposed systems, consider Palo Alto’s Keepnet Human Risk Management Platform for thorough monitoring of user actions and behavior that could expose security gaps.

For a complete breakdown on best practices in security awareness, Palo Alto Networks offers the Keepnet Labs Security Awareness Training that guides IT and security teams through essential security configurations to prevent exploitable scenarios like this.

Implications for Security Teams and the Importance of Proactive Patching

Proactive vulnerability management and fast patching cycles are crucial for staying ahead of these types of threats. Even a minor misconfiguration can quickly escalate into an exploitable vulnerability if it allows attackers to leverage enterprise infrastructure for malicious activities. In the case of CVE-2022-0028, allowing attackers to disguise their actions through your infrastructure not only adds security risk but also could damage the organization’s reputation as the true source of the attack.

Security Awareness and Proactive Defense

Security awareness is an essential complement to effective patch management. Investing in solutions like Phishing Simulators and Awareness Educators enables users to recognize signs of malicious activity while ensuring that IT teams maintain best practices for network defenses. Read more on the role of security awareness training in reducing human error for deeper insights into proactive defense.

For more insights into Denial of Service (DoS) attack prevention, explore Palo Alto’s dedicated blog posts on incident response for DoS attacks and threat response management for complex environments.

Editor's Note: This article was updated on May 20, 2026.

SHARE ON

twitter
linkedin
facebook

Schedule your 30-minute demo now

You'll learn how to:
tickIdentify and prioritize vulnerabilities in your network with efficient monitoring techniques.
tickStrengthen DoS protections with custom configurations and up-to-date patching.
tickLeverage security awareness training to reduce misconfiguration and enhance staff response.

Frequently Asked Questions

What is CVE-2022-0028 and what does it allow attackers to do?

arrow down

CVE-2022-0028 is a high severity vulnerability in Palo Alto Networks PAN-OS that allows an attacker to use an affected firewall as an amplification device in a reflected and amplified TCP denial of service (DoS) attack against a third party target. The vulnerability arises from a URL filtering policy misconfiguration in PAN-OS. Exploitation does not require authentication and does not compromise the confidentiality or integrity of the firewall itself, but it allows the device to be weaponized to flood external targets with traffic.

What is a reflected amplification DoS attack?

arrow down

A reflected amplification DoS attack uses an intermediary device or service to amplify and redirect attack traffic toward a target. The attacker sends small requests that cause the intermediary to send larger responses to the victim's IP address. The victim receives a flood of traffic far exceeding what the attacker sent directly. CVE-2022-0028 enables this by allowing a misconfigured PAN-OS device to reflect and amplify TCP traffic toward a target, making the attack harder to trace and more difficult to absorb.

Which PAN-OS versions are affected by CVE-2022-0028?

arrow down

CVE-2022-0028 affects PAN-OS versions 10.2 (below 10.2.2-h2), 10.1 (below 10.1.6-h6), 10.0 (below 10.0.11-h1), 9.1 (below 9.1.14-h4), 9.0 (below 9.0.16-h3), and 8.1 (below 8.1.23-h1). Organizations running any of these versions should apply the available patches immediately. Devices running Panorama, Cloud NGFW, and Prisma Access are not affected by this vulnerability.

Does CVE-2022-0028 compromise the firewall itself?

arrow down

No. CVE-2022-0028 does not grant attackers access to the firewall, nor does it compromise the confidentiality or integrity of data processed by the device. The vulnerability specifically enables the firewall to be used as an unwitting participant in a DoS attack against a third party. The firewall continues to function normally while being exploited, which is why it can go unnoticed without monitoring of outbound traffic patterns.

How does a URL filtering policy misconfiguration create this vulnerability?

arrow down

The vulnerability arises when a URL filtering policy is configured in a way that allows the firewall to process and respond to certain TCP requests that should be blocked or handled differently. An attacker who identifies a firewall with this misconfiguration can craft requests that cause the device to send amplified TCP responses to a target IP address of the attacker's choosing, effectively using the firewall as a traffic amplifier without needing any credentials or authenticated access to the device.

What immediate steps should organizations take to mitigate CVE-2022-0028?

arrow down

Organizations should update PAN-OS to the patched versions as soon as possible. As interim mitigations while patches are applied: if Threat Prevention is licensed, enable Antivirus, Anti Spyware, and Vulnerability Protection security profiles; review URL filtering policies and remove any configurations that allow the device to process traffic in the manner this vulnerability exploits; and ensure all PAN-OS management interfaces are not exposed to the internet. Monitoring outbound traffic for unusual patterns can also help detect if a device is being exploited.

Why do DoS vulnerabilities in network devices matter for organizations?

arrow down

DoS vulnerabilities in network devices like firewalls matter for several reasons: the affected device can be used to attack others, exposing the organization to legal and reputational risk; the volume of outbound traffic generated during exploitation can degrade the organization's own network performance; and security teams may not notice the exploitation because the firewall appears to be functioning normally. Organizations whose devices are used in DoS attacks against others may face scrutiny from ISPs, regulators, or victims.

What is the relationship between vulnerability management and security awareness training?

arrow down

Vulnerability management addresses technical weaknesses in systems, while security awareness training addresses the human behaviors that create or fail to prevent security incidents. Both are necessary. A misconfigured URL filtering policy, like the one enabling CVE-2022-0028, may result from human error during configuration. Training security and network teams on secure configuration practices, recognizing signs of exploitation, and following patch management procedures complements technical controls. Keepnet's Security Awareness Training helps organizations build the human layer defenses that prevent misconfigurations and improve response to vulnerability disclosures.

How quickly should organizations patch critical network device vulnerabilities?

arrow down

Industry guidance recommends patching critical and high severity vulnerabilities within 24 to 72 hours for internet facing devices. For vulnerabilities that enable active exploitation in the wild, immediate patching or mitigation is required. Organizations that cannot patch immediately should apply available workarounds, increase monitoring, and restrict management access to the affected device. A delay of days or weeks in patching high severity vulnerabilities significantly increases the risk of exploitation.

What is the broader lesson from vulnerabilities like CVE-2022-0028 for network security teams?

arrow down

The broader lesson is that even trusted security devices like firewalls can become attack tools when misconfigured or left unpatched. Network security teams should maintain an accurate inventory of all network devices and their firmware versions, subscribe to vendor security advisories, establish a rapid patching workflow for critical devices, and review device configurations against security hardening guides regularly. Pairing these technical practices with employee security awareness programs ensures that both the technical and human layers of defense are continuously strengthened.