Skip to content
Threat Feed
medium threat exploited

CVE-2026-0286 PAN-OS: Authenticated Command Injection in CLI

A command injection vulnerability, CVE-2026-0286, in the management plane of Palo Alto Networks PAN-OS software allows an authenticated administrator to execute arbitrary OS commands as root on PA-Series and VM-Series firewalls and Panorama (virtual and M-Series) devices, potentially leading to high system compromise.

Palo Alto Networks has disclosed CVE-2026-0286, an authenticated command injection vulnerability affecting the Command Line Interface (CLI) of its PAN-OS software. This flaw permits an authenticated administrator to execute arbitrary operating system commands with root privileges on vulnerable PA-Series and VM-Series firewalls, as well as Panorama management devices (both virtual and M-Series). The issue, discovered externally and published on July 8, 2026, impacts multiple versions of PAN-OS across 10.2, 11.1, 11.2, and 12.1 branches. While rated with medium severity, successful exploitation grants extensive control over the device. Palo Alto Networks is not aware of any in-the-wild exploitation at the time of disclosure, emphasizing a proactive patching approach to mitigate risk, especially where CLI access might be broadly granted.

Attack Chain

  1. An attacker obtains valid administrative credentials for a vulnerable Palo Alto Networks PAN-OS device (e.g., PA-Series, VM-Series firewall, or Panorama).
  2. The attacker establishes an authenticated Command Line Interface (CLI) session to the vulnerable PAN-OS device.
  3. The attacker crafts and submits a malicious input containing OS command injection payloads through the CLI.
  4. The vulnerable PAN-OS software, specifically due to CVE-2026-0286, fails to properly neutralize special elements within the attacker's CLI input.
  5. The injected operating system commands are executed by the underlying system with root privileges.
  6. The attacker achieves arbitrary OS command execution with root privileges on the compromised PAN-OS device.

Impact

Successful exploitation of CVE-2026-0286 allows an attacker, once authenticated, to gain root-level control over critical network security devices such as firewalls and centralized management systems. This can lead to severe consequences including, but not limited to, complete device compromise, unauthorized network access, configuration manipulation, data exfiltration, or disruption of network services. Given the high privileges obtained, the confidentiality and integrity of the affected device and potentially the networks it protects are at high risk. Palo Alto Networks has not observed active exploitation, but the potential for extensive damage necessitates immediate action.

Recommendation

  • Patch CVE-2026-0286 on all affected PAN-OS instances by upgrading to a remediated version as specified in the advisory references.
  • Restrict CLI access to only a limited, trusted group of administrators, as the issue requires prior authentication.
  • Enable Threat Prevention ID 510036 (from content version 9122-10145 and later) on devices with a Threat Prevention subscription, ensuring SSL Decryption is enabled for inbound traffic to the management interface for limited coverage against this vulnerability.