Palo Alto Networks Discloses Root-Level Command Injection Bug in PAN-OS
Palo Alto Networks has disclosed CVE-2026-0273, a command injection vulnerability in PAN-OS that lets authenticated administrators execute arbitrary commands as root via the CLI or web management interface.
Palo Alto Networks has disclosed a command injection vulnerability in its PAN-OS operating system that allows authenticated administrators to execute arbitrary commands as root. Tracked as CVE-2026-0273, the flaw carries a CVSS v4.0 score of 6.1 and affects PA-Series and VM-Series firewalls as well as Panorama appliances running specific versions of PAN-OS 12.1, 11.2, 11.1, and 10.2. Cloud NGFW and Prisma Access are not impacted.
The vulnerability stems from improper input handling in the PAN-OS CLI and web management interface. An authenticated administrator can bypass normal system restrictions and run arbitrary OS commands with root privileges. No special configuration is required—if a privileged user can log in to a vulnerable management interface, the device is at risk. This makes the bug particularly dangerous in environments where management access is not tightly controlled.
Alongside CVE-2026-0273, Palo Alto Networks also disclosed two related medium-severity issues. CVE-2026-0272 is a CLI privilege escalation flaw that allows an authenticated administrator to perform actions with root privileges. CVE-2026-0269 is a memory corruption bug in tunnel traffic processing that enables an authenticated user to repeatedly reboot a firewall by sending crafted packets. Devices configured with IPsec tunnels or GlobalProtect gateways are exposed to the denial-of-service bug, and repeated exploitation can push the firewall into maintenance mode.
Palo Alto Networks has released fixed versions across all affected PAN-OS trains. For CVE-2026-0273, hotfixes include 12.1.4-h7, 11.2.4-h18, 11.1.4-h34, and 10.2.7-h35, with subsequent maintenance releases such as 12.1.7, 11.2.12, 11.1.15, and 10.2.18-h7 also addressing the flaw. Similar hotfixes are available for CVE-2026-0272 and CVE-2026-0269. Organizations running older, unsupported PAN-OS branches are advised to upgrade to a supported, fixed release rather than relying solely on configuration changes.
The company reports no active exploitation of these vulnerabilities at the time of disclosure. However, Palo Alto Networks recommends restricting management access to only trusted internal IP addresses and limiting CLI access to a small group of administrators. Using a hardened jump box as the sole host with access to firewall management interfaces further reduces the risk that stolen credentials can be abused. Customers with a Threat Prevention subscription can also block exploit attempts for CVE-2026-0273 by enabling dedicated Threat IDs, provided management traffic is routed through a data plane interface and decrypted.
This disclosure follows a pattern of recent vulnerabilities in network security appliances that require authenticated access but can lead to full system compromise. While the CVSS score for CVE-2026-0273 is relatively moderate, the ability to execute commands as root makes it a critical concern for organizations that rely on Palo Alto Networks firewalls for perimeter defense. Administrators are urged to apply the available patches promptly and review their management access controls.