Palo Alto PAN-OS Vulnerability Lets Authenticated Admins Run Root Commands
6 min. read 
Published on
Palo Alto Networks has patched a PAN-OS command injection vulnerability that can let an authenticated administrator run arbitrary commands as root. The flaw is tracked as CVE-2026-0273 and affects certain PA-Series firewalls, VM-Series firewalls, and Panorama appliances.
The vulnerability does not allow unauthenticated remote takeover by itself. An attacker would need access to the PAN-OS CLI or the web management interface with administrator privileges. That still makes the bug serious because stolen admin credentials or overexposed management access could turn it into a full device compromise.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Palo Alto Networks also fixed two related PAN-OS issues in the same advisory window. CVE-2026-0272 is a CLI privilege escalation issue, while CVE-2026-0269 is a denial-of-service flaw in tunnel traffic processing.
What CVE-2026-0273 allows attackers to do
CVE-2026-0273 is a command injection bug in PAN-OS. Palo Alto Networks says it allows an authenticated administrator to bypass system restrictions and run arbitrary commands as the root user through the CLI or web UI.
The vulnerability has a CVSS-BT score of 6.1 and a Medium severity rating. Its practical risk depends heavily on how the firewall management interface is exposed and how tightly administrator access is controlled.
Cloud NGFW and Prisma Access are not affected. The affected products are PAN-OS on PA-Series firewalls, VM-Series firewalls, and Panorama virtual and M-Series appliances.
| CVE | Issue | Severity | Main impact |
| CVE-2026-0273 | Authenticated admin command injection via CLI or web UI | Medium, CVSS-BT 6.1 | Root command execution on vulnerable PAN-OS devices |
| CVE-2026-0272 | Privilege escalation in the PAN-OS CLI | Medium, CVSS-BT 6.0 | Authenticated admin can perform actions with root privileges |
| CVE-2026-0269 | Denial of service in tunnel traffic processing | Medium, CVSS-BT 4.6 | Repeated firewall reboots and possible maintenance mode |
Affected PAN-OS versions and fixed releases
The command injection flaw affects supported PAN-OS 12.1, 11.2, 11.1, and 10.2 release trains, depending on the exact maintenance version and hotfix level. Palo Alto Networks released fixed hotfixes and later maintenance versions for each affected branch.
For CVE-2026-0273, fixes include 12.1.4-h7 or 12.1.7 and later, 11.2.4-h18 or 11.2.12 and later, 11.1.4-h34 or 11.1.15 and later, and 10.2.7-h35 or 10.2.18-h7 and later. Admins should check the exact target version for their installed branch before upgrading.
Older unsupported PAN-OS branches should not be treated as safe. Palo Alto Networks advises customers running unsupported versions to upgrade to a supported fixed release instead of relying only on configuration changes.
Why management interface exposure matters
All three issues require authentication, but management exposure still matters. If an attacker has stolen admin credentials, compromised a jump host, or gained access from a semi-trusted network, these flaws could provide strong post-compromise leverage.
Palo Alto Networks recommends following its administrative access best practices. That includes restricting management interface access to trusted internal IP addresses and limiting CLI access to a small group of administrators.
A hardened jump box can also reduce risk. In that setup, only the jump box can reach firewall management interfaces, and administrators must authenticate there before managing PAN-OS devices.
- Do not expose PAN-OS management interfaces to the public internet.
- Restrict management access to trusted internal IP addresses.
- Limit CLI access to administrators who truly need it.
- Use a hardened jump box for firewall administration.
- Review admin accounts, role-based permissions, and recent login activity.
CVE-2026-0269 creates a tunnel availability risk
CVE-2026-0269 is different from the root command and privilege escalation flaws. It affects tunnel traffic processing and can allow an authenticated user to repeatedly reboot a firewall by sending crafted packets.
The issue only applies to PAN-OS firewalls configured with IPsec tunnels or GlobalProtect gateways for remote access. Panorama and Prisma Access are not affected by this vulnerability.
Palo Alto Networks says no known workaround exists for CVE-2026-0269. That makes upgrading to a fixed PAN-OS release the main mitigation for environments that depend on VPN or tunnel availability.
Threat Prevention can help, but patching remains required
For CVE-2026-0273, Palo Alto Networks says customers with a Threat Prevention subscription can block attacks by enabling Threat IDs 510028 and 510029, starting with Applications and Threats content version 9112-10102 and later.
That protection has conditions. Management traffic must be routed through a data plane interface, inbound management traffic must be decrypted so the firewall can inspect it, and Threat Prevention must be enabled on that traffic.
This should not replace patching. Threat Prevention can reduce exposure in some architectures, but fixed PAN-OS builds address the vulnerable code directly.
What administrators should do now
Administrators should first identify all PA-Series, VM-Series, and Panorama deployments running PAN-OS 12.1, 11.2, 11.1, or 10.2. They should then compare installed versions with Palo Alto Networks’ fixed releases for each CVE.
Teams should prioritize systems with reachable management interfaces, broad administrator access, IPsec tunnel exposure, or GlobalProtect gateway deployments. These systems carry the highest operational risk if credentials are stolen or if a tunnel DoS attack disrupts remote access.
Security teams should also review the Palo Alto Networks guidance for administrative access and confirm that only trusted systems can reach firewall and Panorama management services.
- Upgrade vulnerable PAN-OS systems to fixed releases.
- Audit firewall and Panorama administrator accounts.
- Check whether management interfaces are reachable from untrusted networks.
- Review logs for unusual CLI or web UI activity.
- Confirm whether IPsec tunnels or GlobalProtect gateways expose devices to CVE-2026-0269.
- Use Threat IDs 510028 and 510029 for CVE-2026-0273 where the required inspection conditions are met.
Palo Alto Networks says it is not aware of malicious exploitation of these issues at the time of disclosure. Even so, firewall management flaws deserve fast attention because PAN-OS devices often sit at critical network boundaries.
FAQ
CVE-2026-0273 is an authenticated administrator command injection vulnerability in PAN-OS. It can allow an admin with CLI or web UI access to run arbitrary commands as the root user.
Palo Alto Networks says it is not aware of malicious exploitation of CVE-2026-0273 at the time of disclosure.
The flaw affects certain PA-Series firewalls, VM-Series firewalls, and Panorama appliances running affected PAN-OS 12.1, 11.2, 11.1, and 10.2 versions. Cloud NGFW and Prisma Access are not affected.
CVE-2026-0269 is a PAN-OS denial-of-service vulnerability in tunnel traffic processing. It affects firewalls configured with IPsec tunnels or GlobalProtect gateways and can cause repeated reboots.
Administrators should install fixed PAN-OS releases, restrict management access to trusted internal IP addresses, limit CLI access, use a hardened jump box, audit administrator accounts, and review tunnel exposure for IPsec and GlobalProtect deployments.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages