Palo Alto Networks has released patches for three new PAN-OS vulnerabilities that could allow authenticated administrators or users to execute arbitrary commands with root privileges or force firewalls into repeated reboots, raising operational and security concerns for enterprises relying on PA-Series and VM-Series appliances.
PAN-OS Root Command Injection via CLI and Web UI (CVE-2026-0273)
CVE-2026-0273 is a command injection flaw in PAN-OS that allows an authenticated administrator to bypass built‑in system restrictions and run arbitrary OS-level commands as root via either the CLI or the web management interface.
The issue affects PA‑Series and VM‑Series firewalls as well as Panorama appliances, but Cloud NGFW and Prisma Access are explicitly not impacted.
The vulnerability is rated MEDIUM with a CVSS-BT score of 6.1, reflecting that exploitation requires high privileges but results in high impact to confidentiality, integrity, and availability once abused.
No special configuration is required for exposure, so any vulnerable PAN‑OS deployment with administrative access enabled is in scope by default.
While Palo Alto Networks has not seen malicious exploitation so far, the risk increases sharply on devices where the management interface is reachable from external or untrusted networks.
Palo Alto recommends reducing the attack surface by restricting CLI access to a tightly controlled admin group and limiting management web access to trusted internal IPs or a hardened jump box, aligned with its management-plane hardening best practices.
Administrators should upgrade to fixed PAN‑OS maintenance releases such as 12.1.4‑h7, 12.1.7, 11.2.4‑h18, 11.2.12, 11.1.4‑h34, 11.1.15, 10.2.7‑h35, 10.2.18‑h7 or later, depending on the major version in use.
Privilege Escalation to Root in PAN-OS CLI (CVE-2026-0272)
CVE-2026-0272 is a privilege escalation vulnerability in the PAN‑OS command line interface that allows an authenticated administrator to escalate to full root privileges on the device.
The flaw is associated with missing authorization controls (CWE‑862). It enables higher-impact actions than are normally permitted for the admin’s role once the CLI is reachable.
Like CVE‑2026‑0273, this issue affects PA‑Series and VM‑Series firewalls and Panorama, but not Cloud NGFW or Prisma Access, and requires no special configuration to be exploitable.
It carries a MEDIUM severity with a CVSS‑BT score of 6.0, mainly because it requires already high‑privileged access but can significantly compromise confidentiality and integrity. Palo Alto reports no known in‑the‑wild exploitation at this time.
The advisory again stresses restricting management access to trusted internal addresses and, where possible, forcing admins through a dedicated jump host to shrink the effective attack surface.
Fixes are available in PAN‑OS streams including 12.1.4‑h7 or 12.1.5 and later, 11.2.4‑h18 or 11.2.11 and later, 11.1.4‑h34 or 11.1.14 and later, and 10.2.7‑h35 or 10.2.18‑h5 and later, with older unsupported versions requiring an upgrade to a supported fixed release.
Tunnel Traffic DoS via Memory Corruption (CVE-2026-0269)
CVE-2026-0269 targets the data plane rather than the management plane, leveraging a memory corruption bug in PAN‑OS tunnel traffic processing.
An authenticated user with low privileges can send a maliciously crafted packet through an IPSec tunnel or GlobalProtect remote access gateway, triggering a reboot and potentially forcing the firewall into maintenance mode if repeated.
This leads to a denial‑of‑service condition, impacting availability but not directly exposing confidentiality or integrity.
The flaw is rated MEDIUM with a CVSS‑BT score of 4.6. It requires PAN‑OS firewalls to be configured with IPSec tunnels or GlobalProtect gateways to be exposed. Panorama, Cloud NGFW, and Prisma Access are not affected.
While exploitation has been observed only in production discovery, not in malicious campaigns, organizations running large IPSec or GlobalProtect footprints should treat this as a meaningful stability risk.
Palo Alto has shipped fixes across maintained PAN‑OS versions, including 12.1.4‑h5 or 12.1.5 and later, 11.2.4‑h17, 11.2.7‑h4, 11.2.10 and later, 11.1.4‑h33, 11.1.6‑h21, 11.1.12 and later, and 10.2.7‑h34, 10.2.10‑h36, 10.2.18 and later, with guidance to upgrade from any older or unsupported builds to a supported fixed release.
Until patching is complete, defenders should closely monitor tunnel traffic, watch for unexplained reboots or devices entering maintenance mode, and prioritize high‑availability designs to absorb potential DoS attempts.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
