Palo Alto PAN-OS Vulnerability Allows Attackers to Execute Arbitrary Commands as Root User
Palo Alto Networks fixed a new command injection vulnerability in PAN‑OS (CVE-2026-0273) that allows authenticated administrators to execute arbitrary commands as root via the CLI or web management interface.
Two related medium‑severity issues in the same advisory window cover CLI privilege escalation (CVE‑2026‑0272) and a tunnel traffic denial‑of‑service bug (CVE‑2026‑0269).
CVE‑2026‑0273 affects PA‑Series and VM‑Series firewalls as well as Panorama appliances running specific PAN‑OS 12.1, 11.2, 11.1 and 10.2 versions.
The flaw is rated 6.1 under CVSS v4.0. It stems from improper input handling, allowing an authenticated admin to bypass normal system restrictions and run arbitrary OS commands with root privileges via the CLI or the management web UI.
No special configuration is required: if a privileged user can log in to a vulnerable management interface, the device is at risk. Cloud NGFW and Prisma Access are explicitly listed as not affected.
Palo Alto PAN-OS Vulnerability
CVE‑2026‑0272 is a medium‑severity privilege escalation vulnerability in the PAN‑OS CLI that allows an authenticated administrator to perform actions on the device with root privileges.
Like CVE‑2026‑0273, it impacts PA‑Series, VM‑Series and Panorama across supported 12.1, 11.2, 11.1 and 10.2 trains, but not Cloud NGFW or Prisma Access.
CVE‑2026‑0269 is a memory corruption flaw in tunnel traffic processing that allows an authenticated user to repeatedly reboot a firewall by sending crafted packets.
Devices configured with IPsec tunnels or GlobalProtect gateways are exposed, and repeated exploitation can push the firewall into maintenance mode, impacting availability.
Palo Alto Networks says it is not aware of any malicious exploitation of these three vulnerabilities at the time of disclosure.
| Product / PAN‑OS train | CVE ID | Affected versions (examples) | Fixed / upgrade to (examples) |
|---|---|---|---|
| PA‑Series, VM‑Series, Panorama | CVE‑2026‑0273 | 12.1: from 12.1.4 up to (but excluding) 12.1.4‑h7 and from 12.1.0 up to (but excluding) 12.1.7 | 12.1.4‑h7, 12.1.7 and later in the 12.1 line |
| PA‑Series, VM‑Series, Panorama | CVE‑2026‑0273 | 11.2: from 11.2.4 up to (but excluding) 11.2.4‑h18; 11.2.7 up to 11.2.7‑h16; 11.2.10 up to 11.2.10‑h9; 11.2.0–<11.2.12 | 11.2.4‑h18, 11.2.7‑h16, 11.2.10‑h9, 11.2.12 and later in the 11.2 line |
| PA‑Series, VM‑Series, Panorama | CVE‑2026‑0273 | 11.1: from 11.1.4 up to 11.1.4‑h34; 11.1.6 up to 11.1.6‑h33; 11.1.7 up to 11.1.7‑h7; 11.1.10 up to 11.1.10‑h27; 11.1.13 up to 11.1.13‑h7; 11.1.0–<11.1.15 | 11.1.4‑h34, 11.1.6‑h33, 11.1.7‑h7, 11.1.10‑h27, 11.1.13‑h7, 11.1.15 and later in 11.1 |
| PA‑Series, VM‑Series, Panorama | CVE‑2026‑0273 | 10.2: from 10.2.7 up to 10.2.7‑h35; 10.2.10 up to 10.2.10‑h37; 10.2.13 up to 10.2.13‑h22; 10.2.16 up to 10.2.16‑h8; 10.2.18 up to 10.2.18‑h7 | 10.2.7‑h35, 10.2.10‑h37, 10.2.13‑h22, 10.2.16‑h8, 10.2.18‑h7 and later in 10.2 |
| PA‑Series, VM‑Series, Panorama | CVE‑2026‑0272 | 12.1: 12.1.2 through 12.1.4‑h* (before 12.1.4‑h7) | 12.1.4‑h7, 12.1.5 or later in 12.1 |
| PA‑Series, VM‑Series, Panorama | CVE‑2026‑0272 | 11.2: 11.2.0–<11.2.4‑h18; 11.2.5–<11.2.7‑h16; 11.2.8–<11.2.10‑h9; 11.2.10–<11.2.11 | 11.2.4‑h18, 11.2.7‑h16, 11.2.10‑h9, 11.2.11 and later in 11.2 |
| PA‑Series, VM‑Series, Panorama | CVE‑2026‑0272 | 11.1: 11.1.0–<11.1.4‑h34; 11.1.5–<11.1.6‑h33; 11.1.7–<11.1.7‑h7; 11.1.8–<11.1.10‑h27; 11.1.11–<11.1.13‑h7; 11.1.13–<11.1.14 | 11.1.4‑h34, 11.1.6‑h33, 11.1.7‑h7, 11.1.10‑h27, 11.1.13‑h7, 11.1.14 and later in 11.1 |
| PA‑Series, VM‑Series, Panorama | CVE‑2026‑0272 | 10.2: 10.2.0–<10.2.7‑h35; 10.2.8–<10.2.10‑h37; 10.2.11–<10.2.13‑h22; 10.2.14–<10.2.16‑h8; 10.2.17–<10.2.18‑h5 | 10.2.7‑h35, 10.2.10‑h37, 10.2.13‑h22, 10.2.16‑h8, 10.2.18‑h5 and later in 10.2 |
| PA‑Series, VM‑Series (IPsec/GlobalProtect only) | CVE‑2026‑0269 | 12.1: 12.1.2–<12.1.4‑h5 and 12.1.0–<12.1.5 | 12.1.4‑h5, 12.1.5 and later in 12.1 |
| PA‑Series, VM‑Series (IPsec/GlobalProtect only) | CVE‑2026‑0269 | 11.2: 11.2.0–<11.2.4‑h17; 11.2.5–<11.2.7‑h4; 11.2.8–<11.2.9; 11.2.9–<11.2.10 | 11.2.4‑h17, 11.2.7‑h4, 11.2.10 and later in 11.2 |
| PA‑Series, VM‑Series (IPsec/GlobalProtect only) | CVE‑2026‑0269 | 11.1: 11.1.0–<11.1.4‑h33; 11.1.5–<11.1.6‑h21; 11.1.7–<11.1.10‑h7; 11.1.11–<11.1.12 | 11.1.4‑h33, 11.1.6‑h21, 11.1.10‑h7, 11.1.12 and later in 11.1 |
| PA‑Series, VM‑Series (IPsec/GlobalProtect only) | CVE‑2026‑0269 | 10.2: 10.2.0–<10.2.7‑h34; 10.2.4–<10.2.16‑h6; 10.2.8–<10.2.10‑h36; 10.2.11–<10.2.13‑h21; 10.2.17–<10.2.18 | 10.2.7‑h34, 10.2.10‑h36, 10.2.13‑h21, 10.2.16‑h6, 10.2.18 and later in 10.2 |
For CVE‑2026‑0273, vulnerable branches include PAN‑OS 12.1, 11.2, 11.1, and 10.2 up to, but not including, hotfixes such as 12.1.4‑h7, 11.2.4‑h18, 11.1.4‑h34, 10.2.7‑h35, and later maintenance releases such as 12.1.7, 11.2.12, 11.1.15, and 10.2.18‑h7.
CVE‑2026‑0272 and CVE‑2026‑0269 follow similar patterns, with fixes provided in the latest “‑h” hotfixes and subsequent maintenance versions for each train.
Organizations running older, unsupported PAN‑OS branches are advised to upgrade to a supported, fixed release rather than relying solely on configuration.
Palo Alto recommends restricting management access to only trusted internal IP addresses and limiting CLI access to a small group of administrators, in line with its administrative access best‑practice guidance.
Using a hardened jump box as the sole host with access to the firewall management interfaces further reduces the risk that stolen credentials can be abused.
Customers with a Threat Prevention subscription can also block exploit attempts for CVE‑2026‑0273 by enabling the dedicated Threat IDs, provided management traffic is routed through a data plane interface and decrypted so the firewall can inspect it.
For the tunnel DoS bug CVE‑2026‑0269, Palo Alto lists no practical workaround and directs customers to upgrade to fixed code and review tunnel exposure.
While all three issues require authenticated access, they offer strong post‑compromise leverage, allowing attackers to gain root control of devices or disrupt VPN and remote access services.
So patching should be prioritized in environments where management or tunnel endpoints are reachable from semi‑trusted networks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post Palo Alto PAN-OS Vulnerability Allows Attackers to Execute Arbitrary Commands as Root User appeared first on Cyber Security News.
Abinaya
Go to cyber-security-news