Critical Security Advisory: Addressing New PAN-OS Vulnerabilities in PA-Series and VM-Series Appliances
Palo Alto Networks has released urgent security patches to address three distinct vulnerabilities within PAN-OS. These flaws represent a significant risk to enterprise security postures, as they could allow authenticated users to escalate privileges to root level or trigger persistent Denial-of-Service (DoS) conditions via system reboots. For organizations relying on PA-Series and VM-Series hardware or virtual appliances, immediate assessment of management plane exposure is highly recommended.
PAN-OS Root Command Injection via CLI and Web UI (CVE-2026-0273)
The vulnerability identified as CVE-2026-0273 is a critical command injection flaw. It resides within the management plane, allowing an authenticated administrator to bypass standard operating system restrictions. By leveraging either the Command Line Interface (CLI) or the Web Management UI, an attacker can execute arbitrary OS-level commands with full root privileges.
While the impact on confidentiality, integrity, and availability is high, the CVSS-BT score is rated as MEDIUM (6.1). This is primarily due to the requirement for existing administrative credentials to initiate the exploit. The flaw affects PA-Series, VM-Series, and Panorama appliances; however, cloud-native solutions like Cloud NGFW and Prisma Access are not impacted.
Mitigation Strategy: To reduce the potential attack surface, administrators should implement strict management-plane hardening. This includes restricting CLI access to a highly vetted group of users and ensuring the web management interface is only reachable via trusted internal networks or through a hardened jump box.
Required Updates: Patching is available in the following maintenance releases: 12.1.4-h7, 12.1.7, 11.2.4-h18, 11.2.12, 11.1.4-h34, 11.1.15, 10.2.7-h35, 10.2.18-h7, or later.
Privilege Escalation to Root in PAN-OS CLI (CVE-2026-0272)
A second vulnerability, CVE-2026-0272, targets the authorization logic within the PAN-OS CLI. This flaw (categorized under CWE-862: Missing Authorization) allows an authenticated administrator to bypass role-based access controls and escalate their permissions to full root access.
Similar to the command injection flaw, this affects PA-Series, VM-Series, and Panorama, but excludes Cloud NGFW and Prisma Access. The vulnerability is rated MEDIUM (6.0). Although no active exploitation has been detected in the wild, the ability for a lower-level admin to seize total control of a security appliance poses a major internal threat.
Remediation: Beyond applying the software updates listed below, organizations should adhere to the principle of least privilege (PoLP), ensuring administrative accounts are only granted the specific permissions necessary for their tasks.
Required Updates: Fixed versions include 12.1.4-h7 or 12.1.5+, 11.2.4-h18 or 11.2.11+, 11.1.4-h34 or 11.1.14+, and 10.2.7-h35 or 10.2.18-h5+.
Tunnel Traffic Denial-of-Service via Memory Corruption (CVE-2026-0269)
Unlike the previous two vulnerabilities which target the management plane, CVE-2026-0269 targets the data plane. This is a memory corruption vulnerability triggered during the processing of tunnel traffic.
An authenticated user with low-level privileges can transmit a specially crafted packet through an IPSec tunnel or a GlobalProtect remote access gateway. This malformed packet causes a memory corruption error, resulting in an immediate system reboot. If an attacker repeatedly sends these packets, the firewall can be forced into a continuous reboot loop, effectively placing the device in maintenance mode and causing a total Denial-of-Service (DoS).
The vulnerability carries a MEDIUM (4.6) rating. While it does not directly compromise data confidentiality, it presents a severe risk to network availability. This flaw specifically impacts devices configured with IPSec or GlobalProtect; Panorama and cloud-based services remain unaffected.
Operational Guidance: Until patches can be applied, network engineers should monitor for unexplained device reboots or unexpected entries into maintenance mode. Utilizing High Availability (HA) clusters is a critical defense-in-depth measure to ensure traffic continuity during a localized DoS attempt.
Required Updates: Fixed versions include 12.1.4-h5 or 12.1.5+, 11.2.4-h17, 11.2.7-h4, 11.2.10+, 11.1.4-h33, 11.1.6-h21, 11.1.12+, 10.2.7-h34, 10.2.10-h36, and 10.2.18+.