CVE-2026-0282 PAN-OS: Unauthenticated File Deletion Vulnerability
An unauthenticated attacker with network access to the management web interface of Palo Alto Networks PAN-OS software can exploit CVE-2026-0282, a file deletion vulnerability, to delete files from a temporary directory, impacting PA-Series and VM-Series firewalls, and Panorama appliances.
Palo Alto Networks has disclosed CVE-2026-0282, a low-severity file deletion vulnerability impacting its PAN-OS software, which runs on PA-Series and VM-Series firewalls, as well as Panorama management appliances (virtual and M-Series). An unauthenticated attacker with network access to the management web interface can exploit this flaw to delete files from a temporary directory. The vulnerability was discovered internally and has no reported instances of in-the-wild exploitation. While the CVSS score is low (2.7-5.1 depending on configuration), organizations are urged to patch to prevent potential misuse, especially if management interfaces are exposed to untrusted networks. Cloud NGFW and Prisma Access products are not affected by this issue, simplifying the scope of necessary updates.
Attack Chain
- An unauthenticated attacker establishes network connectivity to the management web interface of a vulnerable PAN-OS device.
- The attacker sends a specially crafted request to the web interface.
- The PAN-OS software processes the request, which due to improper input validation, results in arbitrary file deletion.
- The system deletes a file from a temporary directory on the vulnerable device.
- No immediate integrity or availability impact on the product itself is observed beyond temporary file deletion.
- The objective is the deletion of temporary files, which could potentially disrupt operations or be a precursor to other attacks.
Impact
The primary impact of CVE-2026-0282 is the ability for an unauthenticated attacker to delete files within a temporary directory on affected PAN-OS devices. While the direct consequence of deleting temporary files is often minimal, such actions could potentially disrupt operations or serve as a precursor to more sophisticated attacks if combined with other vulnerabilities. Palo Alto Networks stresses that the security risk is substantially mitigated by adhering to best practice deployment guidelines, which involve restricting management interface access to only trusted internal IP addresses. There are no known instances of malicious exploitation in the wild.
Recommendation
- Upgrade affected PAN-OS instances to fixed versions (12.1.8, 11.2.13, 11.1.16, or later, as per CVE-2026-0282 advisory) to remediate the vulnerability.
- Implement network access controls to restrict access to the management web interface of PA-Series, VM-Series, and Panorama devices from untrusted networks, as recommended in the CVE-2026-0282 advisory.