Severity
High
Analysis Summary
Palo Alto Networks has addressed three security vulnerabilities in PAN-OS, including a command injection flaw tracked as CVE-2026-0273 that allows authenticated administrators to execute arbitrary operating system commands with root privileges through the CLI or web management interface. The vulnerability affects PA-Series firewalls, VM-Series firewalls, and Panorama appliances running multiple PAN-OS 10.2, 11.1, 11.2, and 12.1 versions. Although rated Medium severity with a CVSS v4.0 score of medium, successful exploitation grants attackers complete control over the underlying system. Cloud NGFW and Prisma Access environments are not affected.
A second vulnerability, CVE-2026-0272, is a privilege escalation flaw within the PAN-OS CLI that enables authenticated administrators to perform actions with root-level privileges. Similar to CVE-2026-0273, it impacts supported PA-Series, VM-Series, and Panorama deployments across multiple PAN-OS release trains. Exploitation of either vulnerability requires valid administrative credentials, making them particularly dangerous in scenarios involving compromised accounts, insider threats, or credential theft.
The third vulnerability, CVE-2026-0269, is a memory corruption issue affecting tunnel traffic processing. An authenticated attacker can exploit the flaw by sending specially crafted packets to repeatedly reboot affected firewalls configured with IPsec tunnels or GlobalProtect gateways. Repeated exploitation may force devices into maintenance mode, causing denial-of-service conditions and disrupting VPN connectivity, remote access services, and overall network availability.
Palo Alto Networks has released hotfixes and maintenance updates for all affected PAN-OS branches and recommends immediate upgrades to supported fixed versions. Additional security measures include restricting management access to trusted internal networks, limiting CLI access to authorized administrators, and using hardened jump servers for administrative tasks. Organizations with Threat Prevention subscriptions can further mitigate exploitation attempts by enabling the relevant Threat IDs. While no active exploitation has been reported, these vulnerabilities provide significant post-compromise capabilities, making prompt patching and access control hardening critical for affected environments.
Impact
- Gain Access
Indicators of Compromise
CVE
CVE-2026-0273
CVE-2026-0272
CVE-2026-0269
Remediation
- Upgrade all affected PAN-OS devices to the latest fixed or hotfix releases recommended by Palo Alto Networks.
- Prioritize patching internet-facing firewalls, Panorama appliances, and systems accessible from semi-trusted networks.
- Restrict management interface access to trusted internal IP addresses only.
- Limit CLI and web management access to a small group of authorized administrators.
- Implement multi-factor authentication (MFA) for all administrative accounts.
- Use hardened jump servers or bastion hosts as the only systems permitted to access firewall management interfaces.
- Regularly review and remove unnecessary administrative accounts and privileges.
- Monitor administrative login activity for suspicious access attempts, privilege escalation, or unauthorized configuration changes.
- Enable logging and alerting for command execution, configuration modifications, and management interface activity.
- Apply the principle of least privilege to reduce the impact of compromised administrator credentials.
- Enable and maintain Threat Prevention protections, including the relevant Threat IDs for CVE-2026-0273 where supported.
- Ensure management traffic is inspected and decrypted when using Threat Prevention controls.
- Review IPsec tunnel and GlobalProtect gateway exposure and restrict access to trusted users and networks.
- Monitor firewalls for unexpected reboots, service interruptions, or repeated tunnel-related failures that may indicate exploitation attempts.