CVE-2026-0272: Palo Alto PAN-OS Privilege Escalation Vulnerability (PA-Series, VM-Series, Panorama)
CVE-2026-0272 is a privilege escalation flaw in Palo Alto Networks PAN-OS that lets an authenticated administrator with CLI access run commands as root. While the vulnerability requires pre-existing admin credentials and CLI access, the impact is severe: a malicious or compromised admin account could gain unrestricted control of the firewall. The risk is substantially reduced when CLI access is tightly limited to a small trusted group and the management interface is restricted to known internal IP ranges.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-862, CWE-863
- Affected products
- 175 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-07-14
NVD description (verbatim)
A privilege escalation vulnerability in Palo Alto Networks PAN-OS® software allows an authenticated administrator with access to the Command Line Interface (CLI) to perform actions on the device with root privileges. The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators and by restricting access to the management interface to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series). Cloud NGFW, and Prisma® Access are not impacted by this vulnerability.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This privilege escalation vulnerability exists in PAN-OS running on PA-Series, VM-Series firewalls, and Panorama appliances (both virtual and M-Series models). The flaw relates to insufficient access controls (CWE-862, CWE-863) and allows an authenticated administrator with CLI privileges to execute operations with root-level permissions without additional authorization checks. Cloud NGFW and Prisma Access deployments are unaffected. The CVSS 3.1 score of 7.2 (HIGH) reflects high impact potential across confidentiality, integrity, and availability, but assumes the attacker already holds administrator credentials and network access to the management interface.
Business impact
A compromised or malicious administrator could leverage this vulnerability to completely override firewall policy, exfiltrate sensitive data, disable security controls, or sabotage network operations. For organizations where PAN-OS devices are core security infrastructure, this represents a direct path to undermining the entire network perimeter defense. Remediation must be prioritized relative to your access control maturity: environments with strict CLI access hygiene and air-gapped management networks face lower practical risk than those with loose administrative access.
Affected systems
CVE-2026-0272 affects Palo Alto Networks PAN-OS deployed on PA-Series and VM-Series firewalls as well as Panorama (both virtual and M-Series hardware versions). Customers running Cloud NGFW or Prisma Access services are not vulnerable. Verify your inventory to identify which platform versions require patching; the vendor advisory will specify the affected PAN-OS versions and corresponding fixes.
Exploitability
Exploitation requires an attacker to already possess valid administrator credentials and network access to the device's management interface—a moderately high barrier in mature security environments but a real risk in organizations with permissive admin access or where admin accounts have been compromised. No network-based unauthenticated attack path exists. The vulnerability becomes practically lower-risk when CLI access is restricted to a handful of trusted administrators and management access is limited to internal IP addresses, as recommended in Palo Alto's security guidelines.
Remediation
Immediately apply the security patches released by Palo Alto Networks. Consult the vendor advisory to identify the affected PAN-OS versions and corresponding fixed versions for your platform (PA-Series, VM-Series, or Panorama). In parallel, enforce least-privilege access by restricting CLI access to only administrators who require it, and implement IP-based access controls limiting management interface connectivity to trusted internal subnets. Review admin account activity logs for any suspicious CLI commands executed with elevated privileges.
Patch guidance
Obtain and review the official Palo Alto Networks security advisory for CVE-2026-0272 to determine the precise fixed PAN-OS versions for your platform type. Plan patching during a maintenance window; PAN-OS upgrades typically require careful sequencing in environments with redundant firewalls or Panorama-managed device clusters. Test patches in a staging environment first. After patching, verify that admin access controls and logging are functioning correctly.
Detection guidance
Monitor CLI audit logs for admin accounts executing root-level commands or accessing restricted system functions. Correlate CLI activity with change tickets and approved maintenance windows to identify unauthorized escalations. Enable verbose logging on the management interface to track successful and failed authentication attempts. Review firewall policy changes tied to admin CLI activity, especially modifications to security rules or administrator account permissions. Consider implementing a SIEM integration to alert on suspicious privilege usage patterns.
Why prioritize this
Although this vulnerability requires pre-existing administrator access, the potential impact—complete firewall compromise—is severe and could facilitate advanced persistent threats or regulatory violations. Organizations with restrictive CLI access policies and robust admin access controls can operate at moderate risk while awaiting patches. However, those with permissive administrative environments should treat patching as urgent. The absence of the vulnerability from the KEV catalog does not reduce its importance for environment-specific risk assessment.
Risk score, explained
The CVSS 3.1 score of 7.2 (HIGH) reflects the high impact on confidentiality, integrity, and availability if an attacker with admin credentials gains root access. The score assumes an authenticated attacker with high privileges (PR:H) and network connectivity to the management interface (AV:N). The practical risk in your environment depends heavily on your implementation of the vendor's recommended access controls: strict CLI access limits and management interface IP whitelisting substantially reduce exploitability.
Frequently asked questions
Do we need to patch if our management interface is air-gapped and only a few senior engineers have CLI access?
While strict access controls significantly reduce risk, patching remains advisable as part of normal security hygiene. An insider threat or compromised privileged account could still exploit the vulnerability. Palo Alto's own guidance acknowledges that restricting CLI access *minimizes* risk but does not eliminate it.
Are Cloud NGFW customers affected?
No. Cloud NGFW and Prisma Access are explicitly not impacted by CVE-2026-0272. This vulnerability affects on-premises and VM-Series deployments of PAN-OS, as well as Panorama appliances.
What should we check in our audit logs after patching?
Review CLI command history for any admin-executed privileged operations that occurred before patching, especially commands that modified firewall policies, created new admin accounts, or disabled logging. Correlate these with change management records to identify any unauthorized activity.
If an attacker has admin credentials, can they exploit this without network access to the management interface?
No. The vulnerability requires both valid administrator credentials and network access to the device's management interface. If your management interface is restricted to internal IPs and strongly authenticated, the attack surface is significantly reduced.
This analysis is based on vendor-supplied information and CVE details published as of the advisory date. Verify all patch versions, affected product versions, and remediation steps against the official Palo Alto Networks security advisory before implementing in production. Risk assessments are illustrative and should be tailored to your specific environment, access control policies, and threat landscape. This content is provided for informational purposes and does not constitute professional security advice. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-45549HIGHRoxy-WI Privilege Escalation Allows Any Authenticated User to Disrupt Infrastructure Services
- CVE-2026-10616MEDIUMAuthorization Bypass in nextlevelbuilder GoClaw Task Completion
- CVE-2026-10815MEDIUMAuthorization Bypass in Hostel Management System PHP
- CVE-2018-25391HIGHHaPe PKH 1.1 Authorization Bypass – Unauthorized Record Deletion Vulnerability
- CVE-2025-14774HIGHABB T-MAC Plus Denial-of-Service Vulnerability (CVSS 7.4)
- CVE-2025-26418HIGHAndroid CarDevicePolicyService Privilege Escalation (CVSS 7.8)
- CVE-2025-32348HIGHAndroid Local Privilege Escalation via Missing Permission Check
- CVE-2025-53345HIGHThimPress Thim Core Missing Authorization Leads to Code Execution