CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 12, 2026

Palo Alto PAN-OS Vulnerability Allows Attackers to Execute Arbitrary Commands as Root User

Cybersecurity News Archived Jun 12, 2026 ✓ Full text saved

Palo Alto Networks fixed a new command injection vulnerability in PAN‑OS (CVE-2026-0273) that allows authenticated administrators to execute arbitrary commands as root via the CLI or web management interface. Two related medium‑severity issues in the same advisory window cover CLI privilege escalation (CVE‑2026‑0272) and a tunnel traffic denial‑of‑service bug (CVE‑2026‑0269). CVE‑2026‑0273 affects PA‑Series and VM‑Series […] The post Palo Alto PAN-OS Vulnerability Allows Attackers to Execute Arb

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Palo Alto PAN-OS Vulnerability Allows Attackers to Execute Arbitrary Commands as Root User By Abinaya June 12, 2026 Palo Alto Networks fixed a new command injection vulnerability in PAN‑OS (CVE-2026-0273) that allows authenticated administrators to execute arbitrary commands as root via the CLI or web management interface. Hacking& Cracking Two related medium‑severity issues in the same advisory window cover CLI privilege escalation (CVE‑2026‑0272) and a tunnel traffic denial‑of‑service bug (CVE‑2026‑0269). CVE‑2026‑0273 affects PA‑Series and VM‑Series firewalls as well as Panorama appliances running specific PAN‑OS 12.1, 11.2, 11.1 and 10.2 versions. The flaw is rated 6.1 under CVSS v4.0. It stems from improper input handling, allowing an authenticated admin to bypass normal system restrictions and run arbitrary OS commands with root privileges via the CLI or the management web UI. No special configuration is required: if a privileged user can log in to a vulnerable management interface, the device is at risk. Cloud NGFW and Prisma Access are explicitly listed as not affected. Palo Alto PAN-OS Vulnerability CVE‑2026‑0272 is a medium‑severity privilege escalation vulnerability in the PAN‑OS CLI that allows an authenticated administrator to perform actions on the device with root privileges. Like CVE‑2026‑0273, it impacts PA‑Series, VM‑Series and Panorama across supported 12.1, 11.2, 11.1 and 10.2 trains, but not Cloud NGFW or Prisma Access. CVE‑2026‑0269 is a memory corruption flaw in tunnel traffic processing that allows an authenticated user to repeatedly reboot a firewall by sending crafted packets. Devices configured with IPsec tunnels or GlobalProtect gateways are exposed, and repeated exploitation can push the firewall into maintenance mode, impacting availability. Palo Alto Networks says it is not aware of any malicious exploitation of these three vulnerabilities at the time of disclosure. Hacking& Cracking Product / PAN‑OS train CVE ID Affected versions (examples) Fixed / upgrade to (examples) PA‑Series, VM‑Series, Panorama CVE‑2026‑0273 12.1: from 12.1.4 up to (but excluding) 12.1.4‑h7 and from 12.1.0 up to (but excluding) 12.1.7 12.1.4‑h7, 12.1.7 and later in the 12.1 line PA‑Series, VM‑Series, Panorama CVE‑2026‑0273 11.2: from 11.2.4 up to (but excluding) 11.2.4‑h18; 11.2.7 up to 11.2.7‑h16; 11.2.10 up to 11.2.10‑h9; 11.2.0–<11.2.12 11.2.4‑h18, 11.2.7‑h16, 11.2.10‑h9, 11.2.12 and later in the 11.2 line PA‑Series, VM‑Series, Panorama CVE‑2026‑0273 11.1: from 11.1.4 up to 11.1.4‑h34; 11.1.6 up to 11.1.6‑h33; 11.1.7 up to 11.1.7‑h7; 11.1.10 up to 11.1.10‑h27; 11.1.13 up to 11.1.13‑h7; 11.1.0–<11.1.15 11.1.4‑h34, 11.1.6‑h33, 11.1.7‑h7, 11.1.10‑h27, 11.1.13‑h7, 11.1.15 and later in 11.1 PA‑Series, VM‑Series, Panorama CVE‑2026‑0273 10.2: from 10.2.7 up to 10.2.7‑h35; 10.2.10 up to 10.2.10‑h37; 10.2.13 up to 10.2.13‑h22; 10.2.16 up to 10.2.16‑h8; 10.2.18 up to 10.2.18‑h7 10.2.7‑h35, 10.2.10‑h37, 10.2.13‑h22, 10.2.16‑h8, 10.2.18‑h7 and later in 10.2 PA‑Series, VM‑Series, Panorama CVE‑2026‑0272 12.1: 12.1.2 through 12.1.4‑h* (before 12.1.4‑h7) 12.1.4‑h7, 12.1.5 or later in 12.1 PA‑Series, VM‑Series, Panorama CVE‑2026‑0272 11.2: 11.2.0–<11.2.4‑h18; 11.2.5–<11.2.7‑h16; 11.2.8–<11.2.10‑h9; 11.2.10–<11.2.11 11.2.4‑h18, 11.2.7‑h16, 11.2.10‑h9, 11.2.11 and later in 11.2 PA‑Series, VM‑Series, Panorama CVE‑2026‑0272 11.1: 11.1.0–<11.1.4‑h34; 11.1.5–<11.1.6‑h33; 11.1.7–<11.1.7‑h7; 11.1.8–<11.1.10‑h27; 11.1.11–<11.1.13‑h7; 11.1.13–<11.1.14 11.1.4‑h34, 11.1.6‑h33, 11.1.7‑h7, 11.1.10‑h27, 11.1.13‑h7, 11.1.14 and later in 11.1 PA‑Series, VM‑Series, Panorama CVE‑2026‑0272 10.2: 10.2.0–<10.2.7‑h35; 10.2.8–<10.2.10‑h37; 10.2.11–<10.2.13‑h22; 10.2.14–<10.2.16‑h8; 10.2.17–<10.2.18‑h5 10.2.7‑h35, 10.2.10‑h37, 10.2.13‑h22, 10.2.16‑h8, 10.2.18‑h5 and later in 10.2 PA‑Series, VM‑Series (IPsec/GlobalProtect only) CVE‑2026‑0269 12.1: 12.1.2–<12.1.4‑h5 and 12.1.0–<12.1.5 12.1.4‑h5, 12.1.5 and later in 12.1 PA‑Series, VM‑Series (IPsec/GlobalProtect only) CVE‑2026‑0269 11.2: 11.2.0–<11.2.4‑h17; 11.2.5–<11.2.7‑h4; 11.2.8–<11.2.9; 11.2.9–<11.2.10 11.2.4‑h17, 11.2.7‑h4, 11.2.10 and later in 11.2 PA‑Series, VM‑Series (IPsec/GlobalProtect only) CVE‑2026‑0269 11.1: 11.1.0–<11.1.4‑h33; 11.1.5–<11.1.6‑h21; 11.1.7–<11.1.10‑h7; 11.1.11–<11.1.12 11.1.4‑h33, 11.1.6‑h21, 11.1.10‑h7, 11.1.12 and later in 11.1 PA‑Series, VM‑Series (IPsec/GlobalProtect only) CVE‑2026‑0269 10.2: 10.2.0–<10.2.7‑h34; 10.2.4–<10.2.16‑h6; 10.2.8–<10.2.10‑h36; 10.2.11–<10.2.13‑h21; 10.2.17–<10.2.18 10.2.7‑h34, 10.2.10‑h36, 10.2.13‑h21, 10.2.16‑h6, 10.2.18 and later in 10.2 For CVE‑2026‑0273, vulnerable branches include PAN‑OS 12.1, 11.2, 11.1, and 10.2 up to, but not including, hotfixes such as 12.1.4‑h7, 11.2.4‑h18, 11.1.4‑h34, 10.2.7‑h35, and later maintenance releases such as 12.1.7, 11.2.12, 11.1.15, and 10.2.18‑h7. CVE‑2026‑0272 and CVE‑2026‑0269 follow similar patterns, with fixes provided in the latest “‑h” hotfixes and subsequent maintenance versions for each train. Organizations running older, unsupported PAN‑OS branches are advised to upgrade to a supported, fixed release rather than relying solely on configuration. Palo Alto recommends restricting management access to only trusted internal IP addresses and limiting CLI access to a small group of administrators, in line with its administrative access best‑practice guidance. Using a hardened jump box as the sole host with access to the firewall management interfaces further reduces the risk that stolen credentials can be abused. Customers with a Threat Prevention subscription can also block exploit attempts for CVE‑2026‑0273 by enabling the dedicated Threat IDs, provided management traffic is routed through a data plane interface and decrypted so the firewall can inspect it. For the tunnel DoS bug CVE‑2026‑0269, Palo Alto lists no practical workaround and directs customers to upgrade to fixed code and review tunnel exposure. While all three issues require authenticated access, they offer strong post‑compromise leverage, allowing attackers to gain root control of devices or disrupt VPN and remote access services. So patching should be prioritized in environments where management or tunnel endpoints are reachable from semi‑trusted networks. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News PoC Exploit Released for Guest-to-Host Escape Linux Kernel Vulnerability Critical Langflow Vulnerability Exploited to Execute Malicious Code UniFi OS Server Critical RCE Chain Allows Root Access Without Credentials Multiple Splunk Enterprise Vulnerabilities Allow Attackers to Execute Malicious Script Microsoft Exchange Server 0-Day Vulnerability Exploited in Attacks Using Weaponized Email Latest News Cyber Security News Google Patches 28 Chrome Vulnerabilities that Allow Attackers to Execute Malicious Code Cyber Security Microsoft Teams for Android Vulnerability Allows Attackers to Disclose Sensitive Data Cyber Attack News Oracle PeopleSoft 0-Day RCE Vulnerability Exploited in Attacks by ShinyHunters Cyber Security CISA Requires Federal Agencies to Patch Critical Vulnerabilities Within 3 Days Cyber Security News OceanLotus APT Compromises FireAnt MetaKit in Supply-Chain Attack on Stock Investors
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 12, 2026
    Archived
    Jun 12, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗