Palo Alto Networks has addressed a critical command injection vulnerability in its PAN-OS software, identified as CVE-2026-0273. This flaw enables authenticated administrators to execute arbitrary commands with root privileges via the command-line interface (CLI) or web management interface.
The vulnerability affects PA-Series and VM-Series firewalls, as well as Panorama appliances running specific versions of PAN-OS, including 12.1, 11.2, 11.1, and 10.2. Notably, Cloud NGFW and Prisma Access are not impacted by this issue.
Rated with a CVSS score of 6.1, the vulnerability arises from improper input handling, allowing privileged users to bypass system restrictions and run arbitrary operating system commands. No special configuration is required for exploitation; if a privileged user can access a vulnerable management interface, the device is at risk.
In addition to CVE-2026-0273, Palo Alto Networks has disclosed two related medium-severity vulnerabilities:
- CVE-2026-0272: A privilege escalation flaw in the PAN-OS CLI that permits authenticated administrators to perform actions with root privileges.
- CVE-2026-0269: A memory corruption issue in tunnel traffic processing, allowing an authenticated user to repeatedly reboot a firewall by sending crafted packets. Devices configured with IPsec tunnels or GlobalProtect gateways are particularly vulnerable, and repeated exploitation can push the firewall into maintenance mode, affecting availability.
At the time of disclosure, Palo Alto Networks stated that there was no evidence of malicious exploitation of these vulnerabilities. However, given the potential impact, it is crucial for organizations to apply the provided patches promptly to mitigate risks.
These vulnerabilities underscore the importance of maintaining up-to-date systems and monitoring privileged user activities. Organizations should review their firewall configurations and ensure that only necessary services are exposed to minimize potential attack vectors.
