PAN-OS: Authenticated Admin Command Injection Vulnerability via CLI or Web UI

Plan PatchCVSS 8.6CVE-2026-0273Jun 10, 2026

Palo Alto Networks

IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries

Summary

A command injection vulnerability in PAN-OS and Prisma Access allows an authenticated administrator to bypass system restrictions and execute arbitrary commands as root via the CLI or Web UI. This affects PA-Series firewalls, VM-Series firewalls, and Panorama (both virtual and M-Series). Cloud NGFW and Prisma Access cloud service are not affected. Palo Alto Networks states the risk is minimized when CLI access is restricted to a limited group of administrators and management interface access is limited to trusted internal IP addresses.

What this means

What could happen

An authenticated administrator with CLI or web UI access can inject arbitrary commands and run them as root on your firewall, potentially compromising network traffic inspection, routing, or security policies. This could allow an insider attacker or compromised admin account to shut down the firewall, modify policies, or exfiltrate data.

Who's at risk

Palo Alto Networks firewall administrators managing PA-Series, VM-Series, or Panorama devices should prioritize this vulnerability. Network operators at utilities, water authorities, and critical infrastructure sites using Palo Alto firewalls as perimeter or internal security gateways are affected. Prisma Access cloud service users running affected versions also need attention.

How it could be exploited

An attacker with valid administrator credentials accesses the PAN-OS CLI or web management interface (reachable from internal network) and injects shell commands into input fields. The firewall executes these commands with root privileges, bypassing normal administrative restrictions. The attacker can then modify firewall configurations, access sensitive data, or disable security controls.

Prerequisites

Valid administrator credentials for PAN-OS CLI or web UI
Network access to the management interface (typically internal network only)
No exploit complexity; vulnerability is straightforward command injection

authenticated attacker only (reduces risk if admin access is well-controlled)requires valid admin credentialsno patch available for all versions yetaffects network security appliances (firewalls and management systems)

Exploitability

Some exploitation risk — EPSS score 1.2%

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

PAN-OSBelow 12.1.4-h712.1.4-h7+

PAN-OSBelow 12.1.712.1.7+

Prisma AccessBelow 11.2.4-h1811.2.4-h18+

Prisma AccessBelow 11.2.7-h1611.2.7-h16+

Prisma AccessBelow 11.2.10-h911.2.10-h9+

Prisma AccessBelow 11.2.1211.2.12+

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict CLI and web management interface access to trusted internal IP addresses only; do not expose management ports to untrusted networks or the internet

HARDENINGLimit administrator account access to a small group of trusted staff; disable or remove unnecessary administrative accounts

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

PAN-OS

HOTFIXUpdate PAN-OS to 12.1.4-h7 or later (12.1.x branch) or 12.1.7 or later (12.1.x branch), or 11.2.4-h18 or later, 11.2.7-h16 or later, 11.2.10-h9 or later, or 11.2.12 or later (Prisma Access)

Long-term hardening

0/1

HARDENINGEnable management access logging and monitor for unusual CLI or web UI activity from administrator accounts

CVEs (1)

CVE-2026-0273

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/26d0cc8e-5b0f-4531-8514-2e433716130b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.