{"id":13565,"date":"2026-06-12T10:03:44","date_gmt":"2026-06-12T10:03:44","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/06\/12\/palo-alto-pan-os-vulnerability-allows-attackers-to-execute-arbitrary-commands-as-root-user\/"},"modified":"2026-06-12T10:03:44","modified_gmt":"2026-06-12T10:03:44","slug":"palo-alto-pan-os-vulnerability-allows-attackers-to-execute-arbitrary-commands-as-root-user","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/06\/12\/palo-alto-pan-os-vulnerability-allows-attackers-to-execute-arbitrary-commands-as-root-user\/","title":{"rendered":"Palo Alto PAN-OS Vulnerability Allows Attackers to Execute Arbitrary Commands as Root User"},"content":{"rendered":"

Palo Alto PAN-OS Vulnerability Allows Attackers to Execute Arbitrary Commands as Root User
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Palo Alto Networks fixed a new command injection vulnerability in PAN\u2011OS (CVE-2026-0273) that allows authenticated administrators to execute arbitrary commands as root via the CLI or web management interface.<\/p>\n

Two related medium\u2011severity issues in the same advisory window cover CLI privilege escalation (CVE\u20112026\u20110272) and a tunnel traffic denial\u2011of\u2011service bug<\/a> (CVE\u20112026\u20110269).<\/p>\n

CVE\u20112026\u20110273 affects PA\u2011Series and VM\u2011Series firewalls as well as Panorama appliances running specific PAN\u2011OS 12.1, 11.2, 11.1 and 10.2 versions.<\/p>\n

The flaw is rated 6.1 under CVSS v4.0. It stems from improper input handling, allowing an authenticated admin to bypass normal system restrictions and run arbitrary OS commands with root privileges via the CLI or the management web UI.<\/p>\n

No special configuration is required: if a privileged user can log in to a vulnerable management interface, the device is at risk. Cloud NGFW and Prisma Access are explicitly listed as not affected.<\/p>\n

Palo Alto PAN-OS Vulnerability<\/strong><\/h2>\n

CVE\u20112026\u20110272 is a medium\u2011severity privilege escalation vulnerability in the PAN\u2011OS CLI that allows an authenticated administrator to perform actions on the device with root privileges<\/a>.<\/p>\n

Like CVE\u20112026\u20110273, it impacts PA\u2011Series, VM\u2011Series and Panorama across supported 12.1, 11.2, 11.1 and 10.2 trains, but not Cloud NGFW or Prisma Access.<\/p>\n

CVE\u20112026\u20110269 is a memory corruption flaw in tunnel traffic processing that allows an authenticated user to repeatedly reboot a firewall by sending crafted packets.<\/p>\n

Devices configured with IPsec tunnels or GlobalProtect gateways are exposed, and repeated exploitation can push the firewall into maintenance mode, impacting availability.<\/p>\n

Palo Alto Networks says it is not aware of any malicious exploitation<\/a> of these three vulnerabilities at the time of disclosure.<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Product \/ PAN\u2011OS train<\/th>\nCVE ID<\/th>\nAffected versions (examples)<\/th>\nFixed \/ upgrade to (examples)<\/th>\n<\/tr>\n<\/thead>\n
PA\u2011Series, VM\u2011Series, Panorama<\/td>\nCVE\u20112026\u20110273<\/td>\n12.1: from 12.1.4 up to (but excluding) 12.1.4\u2011h7 and from 12.1.0 up to (but excluding) 12.1.7 <\/td>\n12.1.4\u2011h7, 12.1.7 and later in the 12.1 line <\/td>\n<\/tr>\n
PA\u2011Series, VM\u2011Series, Panorama<\/td>\nCVE\u20112026\u20110273<\/td>\n11.2: from 11.2.4 up to (but excluding) 11.2.4\u2011h18; 11.2.7 up to 11.2.7\u2011h16; 11.2.10 up to 11.2.10\u2011h9; 11.2.0\u2013<11.2.12 <\/td>\n11.2.4\u2011h18, 11.2.7\u2011h16, 11.2.10\u2011h9, 11.2.12 and later in the 11.2 line <\/td>\n<\/tr>\n
PA\u2011Series, VM\u2011Series, Panorama<\/td>\nCVE\u20112026\u20110273<\/td>\n11.1: from 11.1.4 up to 11.1.4\u2011h34; 11.1.6 up to 11.1.6\u2011h33; 11.1.7 up to 11.1.7\u2011h7; 11.1.10 up to 11.1.10\u2011h27; 11.1.13 up to 11.1.13\u2011h7; 11.1.0\u2013<11.1.15 <\/td>\n11.1.4\u2011h34, 11.1.6\u2011h33, 11.1.7\u2011h7, 11.1.10\u2011h27, 11.1.13\u2011h7, 11.1.15 and later in 11.1<\/td>\n<\/tr>\n
PA\u2011Series, VM\u2011Series, Panorama<\/td>\nCVE\u20112026\u20110273<\/td>\n10.2: from 10.2.7 up to 10.2.7\u2011h35; 10.2.10 up to 10.2.10\u2011h37; 10.2.13 up to 10.2.13\u2011h22; 10.2.16 up to 10.2.16\u2011h8; 10.2.18 up to 10.2.18\u2011h7<\/td>\n10.2.7\u2011h35, 10.2.10\u2011h37, 10.2.13\u2011h22, 10.2.16\u2011h8, 10.2.18\u2011h7 and later in 10.2 <\/td>\n<\/tr>\n
PA\u2011Series, VM\u2011Series, Panorama<\/td>\nCVE\u20112026\u20110272<\/td>\n12.1: 12.1.2 through 12.1.4\u2011h* (before 12.1.4\u2011h7) <\/td>\n12.1.4\u2011h7, 12.1.5 or later in 12.1<\/td>\n<\/tr>\n
PA\u2011Series, VM\u2011Series, Panorama<\/td>\nCVE\u20112026\u20110272<\/td>\n11.2: 11.2.0\u2013<11.2.4\u2011h18; 11.2.5\u2013<11.2.7\u2011h16; 11.2.8\u2013<11.2.10\u2011h9; 11.2.10\u2013<11.2.11 <\/td>\n11.2.4\u2011h18, 11.2.7\u2011h16, 11.2.10\u2011h9, 11.2.11 and later in 11.2 <\/td>\n<\/tr>\n
PA\u2011Series, VM\u2011Series, Panorama<\/td>\nCVE\u20112026\u20110272<\/td>\n11.1: 11.1.0\u2013<11.1.4\u2011h34; 11.1.5\u2013<11.1.6\u2011h33; 11.1.7\u2013<11.1.7\u2011h7; 11.1.8\u2013<11.1.10\u2011h27; 11.1.11\u2013<11.1.13\u2011h7; 11.1.13\u2013<11.1.14 <\/td>\n11.1.4\u2011h34, 11.1.6\u2011h33, 11.1.7\u2011h7, 11.1.10\u2011h27, 11.1.13\u2011h7, 11.1.14 and later in 11.1 <\/td>\n<\/tr>\n
PA\u2011Series, VM\u2011Series, Panorama<\/td>\nCVE\u20112026\u20110272<\/td>\n10.2: 10.2.0\u2013<10.2.7\u2011h35; 10.2.8\u2013<10.2.10\u2011h37; 10.2.11\u2013<10.2.13\u2011h22; 10.2.14\u2013<10.2.16\u2011h8; 10.2.17\u2013<10.2.18\u2011h5 <\/td>\n10.2.7\u2011h35, 10.2.10\u2011h37, 10.2.13\u2011h22, 10.2.16\u2011h8, 10.2.18\u2011h5 and later in 10.2 <\/td>\n<\/tr>\n
PA\u2011Series, VM\u2011Series (IPsec\/GlobalProtect only)<\/td>\nCVE\u20112026\u20110269<\/td>\n12.1: 12.1.2\u2013<12.1.4\u2011h5 and 12.1.0\u2013<12.1.5 <\/td>\n12.1.4\u2011h5, 12.1.5 and later in 12.1 <\/td>\n<\/tr>\n
PA\u2011Series, VM\u2011Series (IPsec\/GlobalProtect only)<\/td>\nCVE\u20112026\u20110269<\/td>\n11.2: 11.2.0\u2013<11.2.4\u2011h17; 11.2.5\u2013<11.2.7\u2011h4; 11.2.8\u2013<11.2.9; 11.2.9\u2013<11.2.10 <\/td>\n11.2.4\u2011h17, 11.2.7\u2011h4, 11.2.10 and later in 11.2 <\/td>\n<\/tr>\n
PA\u2011Series, VM\u2011Series (IPsec\/GlobalProtect only)<\/td>\nCVE\u20112026\u20110269<\/td>\n11.1: 11.1.0\u2013<11.1.4\u2011h33; 11.1.5\u2013<11.1.6\u2011h21; 11.1.7\u2013<11.1.10\u2011h7; 11.1.11\u2013<11.1.12 <\/td>\n11.1.4\u2011h33, 11.1.6\u2011h21, 11.1.10\u2011h7, 11.1.12 and later in 11.1 <\/td>\n<\/tr>\n
PA\u2011Series, VM\u2011Series (IPsec\/GlobalProtect only)<\/td>\nCVE\u20112026\u20110269<\/td>\n10.2: 10.2.0\u2013<10.2.7\u2011h34; 10.2.4\u2013<10.2.16\u2011h6; 10.2.8\u2013<10.2.10\u2011h36; 10.2.11\u2013<10.2.13\u2011h21; 10.2.17\u2013<10.2.18 <\/td>\n10.2.7\u2011h34, 10.2.10\u2011h36, 10.2.13\u2011h21, 10.2.16\u2011h6, 10.2.18 and later in 10.2 <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

For CVE\u20112026\u20110273<\/a>, vulnerable branches include PAN\u2011OS 12.1, 11.2, 11.1, and 10.2 up to, but not including, hotfixes such as 12.1.4\u2011h7, 11.2.4\u2011h18, 11.1.4\u2011h34, 10.2.7\u2011h35, and later maintenance releases such as 12.1.7, 11.2.12, 11.1.15, and 10.2.18\u2011h7.<\/p>\n

CVE\u20112026\u20110272<\/a> and CVE\u20112026\u20110269<\/a> follow similar patterns, with fixes provided in the latest \u201c\u2011h\u201d hotfixes and subsequent maintenance versions for each train.<\/p>\n

Organizations running older, unsupported PAN\u2011OS branches are advised to upgrade to a supported, fixed release rather than relying solely on configuration.<\/p>\n

Palo Alto recommends restricting management access to only trusted internal IP addresses and limiting CLI access to a small group of administrators, in line with its administrative access best\u2011practice guidance.<\/p>\n

Using a hardened jump box as the sole host with access to the firewall management interfaces<\/a> further reduces the risk that stolen credentials can be abused.<\/p>\n

Customers with a Threat Prevention subscription can also block exploit attempts for CVE\u20112026\u20110273 by enabling the dedicated Threat IDs, provided management traffic is routed through a data plane interface and decrypted so the firewall can inspect it.<\/p>\n

For the tunnel DoS bug CVE\u20112026\u20110269, Palo Alto lists no practical workaround and directs customers to upgrade to fixed code and review tunnel exposure.<\/p>\n

While all three issues require authenticated access, they offer strong post\u2011compromise leverage, allowing attackers to gain root control of devices or disrupt VPN<\/a> and remote access services.<\/p>\n

So patching should be prioritized in environments where management or tunnel endpoints are reachable from semi\u2011trusted networks.<\/p>\n

Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n

The post Palo Alto PAN-OS Vulnerability Allows Attackers to Execute Arbitrary Commands as Root User<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Abinaya
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Palo Alto PAN-OS Vulnerability Allows Attackers to Execute Arbitrary Commands as Root User Palo Alto Networks fixed a new command injection vulnerability in PAN\u2011OS (CVE-2026-0273) that allows authenticated administrators to execute arbitrary commands as root via the CLI or web management interface. Two related medium\u2011severity issues in the same advisory window cover CLI privilege escalation […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,648],"tags":[130],"class_list":["post-13565","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13565"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13565"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13565\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13565"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13565"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13565"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}