Palo Alto PAN-OS Flaws Enable Root Command Execution, Privilege Escalation, and DoS
Palo Alto Networks disclosed and patched multiple vulnerabilities in PAN-OS affecting PA-Series, VM-Series, and Panorama, including CVE-2026-0273, an authenticated administrator command injection flaw in the CLI and web management interface that can allow arbitrary commands to run as root. The vendor also fixed CVE-2026-0272, an authenticated CLI privilege escalation issue, and CVE-2026-0266, a stored XSS vulnerability in the web interface. A separate issue, CVE-2026-0269, can trigger a denial of service through crafted tunnel traffic and repeatedly reboot affected firewalls, potentially forcing them into maintenance mode.
Affected versions span supported PAN-OS 12.1, 11.2, 11.1, and 10.2 release trains, while Cloud NGFW and Prisma Access were reported as unaffected. Palo Alto Networks said it was not aware of active exploitation at disclosure time and urged customers to upgrade promptly, restrict management access to trusted internal IPs, limit CLI exposure, and use hardened jump boxes; for CVE-2026-0273, organizations with Threat Prevention can also enable dedicated Threat IDs to help block exploit attempts when management traffic is inspectable and decrypted.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Palo Alto says no malicious exploitation was known at disclosure
In its disclosure coverage, Palo Alto Networks said it was not aware of malicious exploitation of the PAN-OS vulnerabilities at the time of disclosure. The company recommended prompt upgrades and mitigation steps including restricting management and CLI access.
Palo Alto discloses and fixes four PAN-OS vulnerabilities
On June 10, 2026, Palo Alto Networks published advisories for CVE-2026-0273, CVE-2026-0272, CVE-2026-0266, and CVE-2026-0269 affecting PAN-OS. The issues include authenticated command injection, CLI privilege escalation, stored XSS, and a tunnel-traffic denial-of-service flaw.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Palo Alto PAN-OS Vulnerability Allow Attackers to Arbitrary Commands as a Root User
cybersecuritynews.com
Open sourceCVE-2026-0273 PAN-OS: Authenticated Admin Command Injection Vulnerability via CLI or Web UI
security.paloaltonetworks.com
Open sourceCVE-2026-0272 PAN-OS: Privilege Escalation (PE) Vulnerability in the Command Line Interface (CLI)
security.paloaltonetworks.com
Open sourceCVE-2026-0266 PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Web Interface
security.paloaltonetworks.com
Open sourceCVE-2026-0269 PAN-OS: Denial of Service (DoS) in Tunnel Traffic Processing
security.paloaltonetworks.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Exploited PAN-OS Captive Portal Flaw Gives Attackers Root on Exposed Firewalls
Palo Alto Networks disclosed **CVE-2026-0300**, a critical `CWE-787` buffer overflow in the PAN-OS User-ID Authentication Portal (Captive Portal) that allows **unauthenticated remote code execution as root** on affected **PA-Series** and **VM-Series** firewalls. The flaw carries a **CVSS v4 score of 9.3** when the portal is exposed to untrusted networks or the public internet, and Palo Alto confirmed limited in-the-wild exploitation against exposed portals. Affected versions span PAN-OS 10.2, 11.1, 11.2, and 12.1, while **Prisma Access, Cloud NGFW, and Panorama are not affected**. With patches not immediately available at disclosure, Palo Alto said fixed releases would begin rolling out between May 13 and May 28 and urged customers to restrict portal access to trusted internal zones or disable the feature entirely; the company also released a Threat Prevention Signature for PAN-OS 11.1 and later. U.S. **CISA** added the vulnerability to its **Known Exploited Vulnerabilities** catalog and ordered federal civilian agencies to remediate by the mandated deadline, while other national and regional cyber authorities issued parallel alerts. Palo Alto Unit 42 and multiple reports linked the activity to a likely state-sponsored cluster tracked as **CL-STA-1132**, which reportedly probed targets for weeks, injected shellcode into an `nginx` worker process, deleted crash artifacts and logs, enumerated Active Directory through firewall-linked service accounts, and used **EarthWorm** and **ReverseSocks5** tunnels for command and control and lateral movement. Researchers warned that thousands of internet-exposed PAN-OS instances remain reachable, making perimeter firewalls with exposed Captive Portal services high-priority compromise candidates.
Jun 8, 2026Critical PAN-OS Captive Portal Flaw Let Attackers Gain Root on Firewalls
Palo Alto Networks disclosed **CVE-2026-0300**, a critical `CWE-787` out-of-bounds write in the PAN-OS User-ID Authentication Portal, also known as the Captive Portal, that allows an unauthenticated attacker to achieve remote code execution as **root** on affected **PA-Series** and **VM-Series** firewalls. The flaw was reported as actively exploited in the wild and added to CISA's **Known Exploited Vulnerabilities** catalog, with exploitation observed against portals reachable from untrusted networks or the public internet. Palo Alto said **Prisma Access**, **Cloud NGFW**, and **Panorama** are not affected, while vulnerable PAN-OS branches included 10.2, 11.1, 11.2, and 12.1 below fixed releases. Reporting on observed intrusions said attackers used the firewall access for shellcode injection into `nginx` worker processes, credential extraction, Active Directory enumeration, outbound tunneling with tools such as **EarthWorm** and **ReverseSocks5**, internal pivoting, and anti-forensic log cleanup. Palo Alto began releasing patches in staged waves and urged defenders to disable the Captive Portal if unused or restrict it to trusted IPs and zones, enable available threat-prevention signatures, and treat previously exposed devices as potentially fully compromised by auditing configurations, checking admin accounts and SSH keys, rotating credentials, and monitoring for persistence or suspicious outbound connections.
May 25, 2026
Palo Alto PAN-OS Vulnerabilities Including ADNS DoS (CVE-2026-0229)
Palo Alto Networks published fixes for multiple **PAN-OS** vulnerabilities affecting supported releases (including PAN-OS 12.1, 11.2, 11.1, and 10.2) and related services such as *Prisma Access* and *Prisma Browser*. The Canadian Centre for Cyber Security amplified the vendor guidance, pointing organizations to apply updates and mitigations for PAN-OS and Prisma products, including **CVE-2026-0228** and **CVE-2026-0229**, and a separate Chromium monthly update advisory referenced by Palo Alto. **CVE-2026-0229** is a network-reachable denial-of-service condition in PAN-OS’s **Advanced DNS Security (ADNS)** feature that can allow an unauthenticated attacker to trigger system reboots with a maliciously crafted packet; repeated triggering can push a firewall into maintenance mode, creating a high availability impact. Exposure requires ADNS to be enabled and a spyware profile action set to `block`, `sinkhole`, or `alert` (i.e., not `allow`); Palo Alto stated *Cloud NGFW* and *Prisma Access* are not impacted by this specific issue and reported no known exploitation. **CVE-2026-0228** involves improper certificate validation that can allow Windows Terminal Server Agents to connect using expired certificates under certain configurations, with no workaround noted by the vendor; affected organizations are advised to upgrade to fixed PAN-OS versions per Palo Alto’s guidance.
Mar 21, 2026