PAN-OS: Authenticated Admin Command Injection Vulnerability

Plan PatchCVSS 8.6CVE-2026-0261May 13, 2026

Palo Alto Networks

IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries

Summary

Multiple command injection vulnerabilities in Palo Alto Networks PAN-OS and Prisma Access allow an authenticated administrator to bypass system restrictions and execute arbitrary commands as root. The vulnerability requires the user to have access to the PAN-OS CLI or Web UI. Affected products include PAN-OS on PA-Series and VM-Series firewalls and Panorama appliances. Cloud NGFW and Prisma Access cloud services are not affected. Risk is significantly reduced when CLI access is restricted to a limited group of administrators and management access is limited to trusted internal IP addresses.

What this means

What could happen

An authenticated administrator with access to the PAN-OS command line or web interface could run arbitrary commands as root on the firewall, potentially allowing them to disable security features, alter firewall rules, or disrupt network operations.

Who's at risk

This affects network administrators and security teams managing Palo Alto Networks firewalls (PA-Series, VM-Series, and Panorama appliances) in any organization. If you run PAN-OS or Prisma Access on firewalls, you should review your administrator access controls and patch status.

How it could be exploited

An attacker with valid administrator credentials and network access to the firewall's management interface (CLI or Web UI) can inject commands that bypass system restrictions and execute arbitrary code with root privileges. This requires the attacker to already have authenticated access—there is no pre-authentication exploit path.

Prerequisites

Valid administrator credentials for PAN-OS CLI or Web UI
Network access to the management interface (port 443 for Web UI or SSH port for CLI)

requires valid administrator credentialsno authentication bypassaffects network security infrastructurecommand injection capability

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

PAN-OSBelow 12.1.4-h512.1.4-h5+

PAN-OSBelow 12.1.712.1.7 (ETA: 05/28)+

Prisma AccessBelow 11.2.4-h1711.2.4-h17 (ETA: 05/28)+

Prisma AccessBelow 11.2.7-h1311.2.7-h13+

Prisma AccessBelow 11.2.10-h611.2.10-h6+

Prisma AccessBelow 11.2.1211.2.12 (ETA: 05/28)+

Remediation & Mitigation

0/9

Do now

0/2

WORKAROUNDRestrict management interface access to trusted internal IP addresses only via firewall rules or network segmentation

HARDENINGLimit CLI access to a small group of authorized administrators

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

PAN-OS

HOTFIXUpdate PAN-OS to version 12.1.4-h5 or later

HOTFIXUpdate PAN-OS to version 12.1.7 or later (ETA 05/28)

Prisma Access

HOTFIXUpdate Prisma Access to version 11.2.4-h17 or later

HOTFIXUpdate Prisma Access to version 11.2.7-h13 or later

HOTFIXUpdate Prisma Access to version 11.2.10-h6 or later

HOTFIXUpdate Prisma Access to version 11.2.12 or later (ETA 05/28)

Long-term hardening

0/1

HARDENINGEnable Threat IDs 510017, 510018, and 510024 in Threat Prevention subscription to block attacks (Applications and Threats content version 9100-10044 or later)

CVEs (1)

CVE-2026-0261

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b7fee869-dba5-488b-91fe-e6431e13e4e2

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.