VYPR
← All advisories
Medium severityNVD Advisory· Published Jun 10, 2026

CVE-2026-0273

CVE-2026-0273

Description

Authenticated command injection in PAN-OS allows root command execution via CLI or Web UI, impacting PA-Series, VM-Series, and Panorama.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated command injection in PAN-OS allows root command execution via CLI or Web UI, impacting PA-Series, VM-Series, and Panorama.

Vulnerability

A command injection vulnerability exists in Palo Alto Networks PAN-OS software, affecting PA-Series, VM-Series firewalls, and Panorama (virtual and M-Series). This issue allows an authenticated administrator to bypass system restrictions and execute arbitrary commands with root privileges. No special configuration is required to be affected by this vulnerability.

Exploitation

An attacker must possess administrative access to the PAN-OS CLI or Web UI to exploit this vulnerability. The attacker can then leverage this access to inject commands that bypass system restrictions and execute arbitrary code as the root user.

Impact

Successful exploitation of this vulnerability allows an authenticated administrator to execute arbitrary commands as the root user, leading to a complete compromise of the affected system. This could result in unauthorized access, data exfiltration, or further system manipulation.

Mitigation

Palo Alto Networks has not yet released a patched version for this vulnerability. They recommend restricting access to the management interface to only trusted internal IP addresses as a mitigation strategy. Further information can be found in their LIVEcommunity article and official documentation [1].

References
  1. CVE-2026-0273 PAN-OS: Authenticated Admin Command Injection Vulnerability via CLI or Web UI

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

1