Palo Alto Networks has released PAN-OS updates across all supported software branches patching CVE-2026-0273, a command injection vulnerability in the PAN-OS web management interface (Web UI). The vulnerability allows an authenticated administrator with access to the web management interface to inject OS commands that execute with root privilege on the underlying firewall operating system.
Vulnerability Details
CVE-2026-0273 (CVSS assessed as High): Authenticated OS command injection in PAN-OS Web UI. The vulnerability exists in a diagnostic or configuration page where user-supplied input is processed without adequate sanitisation before incorporation into a system command.
Authentication requirement: Requires existing administrative access to the PAN-OS management interface. This means the direct exploitation path is limited to:
- Threat actors who have compromised administrator credentials for the firewall management interface
- Insider threats or contractors with delegated administrative access
- Attackers who have exploited a prior vulnerability to gain management interface access
Affected versions: PAN-OS 10.1, 10.2, 11.0, 11.1, and 11.2 on all hardware and VM-Series firewalls. Panorama management instances are also affected.
Fixed versions: PAN-OS 10.1.12-h9, 10.2.13-h1, 11.0.6-h1, 11.1.5-h1, 11.2.4-h1 and later.
Scope and Risk Assessment
While CVE-2026-0273 requires authentication, authenticated administrative access to a PAN-OS firewall carries significant consequence if elevated through command injection:
Configuration exfiltration: Administrative shell access allows extracting the complete PAN-OS running configuration, including VPN pre-shared keys, local user credentials, RADIUS/LDAP integration credentials, and certificate private keys.
Certificate extraction: SSL/TLS inspection certificates, GlobalProtect gateway certificates, and management interface certificates stored on the firewall are accessible from the root shell.
Traffic interception: With root access to an active firewall, an attacker can reconfigure traffic forwarding rules, insert traffic mirroring, or disable security policies without the changes being visible through the standard administrative interface.
Persistence: Root-level access allows modification of PAN-OS system files for persistence β changes that survive configuration restore from the web UI.
GlobalProtect Implications
CVE-2026-0273 affects GlobalProtect gateway configurations. GlobalProtect gateways handle VPN authentication and are often the most exposed PAN-OS management surface. If management interface access is available from GlobalProtect-adjacent networks (a misconfiguration), the blast radius extends to any system the GlobalProtect VPN can reach.
Palo Alto Networksβ best practice guidance β isolating management interfaces on a dedicated out-of-band management network β limits the exploitability of CVE-2026-0273 by restricting which IP addresses can reach the management interface. Organisations that have not isolated PAN-OS management to a dedicated network should treat this vulnerability as a prompt to implement that segmentation.
Recommended Actions
Update PAN-OS: Apply the fixed version for your software branch from the Palo Alto Networks Customer Support Portal. If running an older minor version (10.1.x before 10.1.12-h9), the update path may require a feature release upgrade before applying the security patch.
Verify management interface access control: Confirm that the PAN-OS management interface (HTTPS port 443) is accessible only from the designated management IP range. Use Security > Access Control > Management Interface Access in the PAN-OS web UI or equivalent Panorama policy to restrict source addresses.
Audit administrative accounts: Review active administrator accounts in PAN-OS and verify that no unexpected accounts have been created. Review recent admin session logs (Device > Log > System, filtered by βadminβ) for authentication from unusual IP addresses.
Panorama: If Panorama is used for centralised management, apply the PAN-OS updates to Panorama first β Panorama manages firewall configurations and a compromised Panorama instance has administrative reach across all managed firewalls.
Share this article