fkie_nvd - fkie_cve-2025-0110

FKIE_CVE-2025-0110

Vulnerability from fkie_nvd - Published: 2025-02-12 21:15 - Updated: 2025-02-12 21:15

Severity ?

8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber

Summary

A command injection vulnerability in the Palo Alto Networks PAN-OS OpenConfig plugin enables an authenticated administrator with the ability to make gNMI requests to the PAN-OS management web interface to bypass system restrictions and run arbitrary commands. The commands are run as the “__openconfig” user (which has the Device Administrator role) on the firewall. You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .

References

	URL	Tags
	psirt@paloaltonetworks.com	https://security.paloaltonetworks.com/CVE-2025-0110

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A command injection vulnerability in the Palo Alto Networks PAN-OS OpenConfig plugin enables an authenticated administrator with the ability to make gNMI requests to the PAN-OS management web interface to bypass system restrictions and run arbitrary commands. The commands are run as the \u201c__openconfig\u201d user (which has the Device Administrator role) on the firewall.\n\nYou can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended  best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 ."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de inyecci\u00f3n de comandos en el complemento OpenConfig de PAN-OS de Palo Alto Networks permite que un administrador autenticado pueda realizar solicitudes gNMI a la interfaz web de administraci\u00f3n de PAN-OS para eludir las restricciones del sistema y ejecutar comandos arbitrarios. Los comandos se ejecutan como el usuario \u201c__openconfig\u201d (que tiene el rol de administrador del dispositivo) en el firewall. Puede reducir en gran medida el riesgo de este problema al restringir el acceso a la interfaz web de administraci\u00f3n solo a direcciones IP internas de confianza de acuerdo con nuestras pautas de implementaci\u00f3n de mejores pr\u00e1cticas recomendadas https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431."
    }
  ],
  "id": "CVE-2025-0110",
  "lastModified": "2025-02-12T21:15:16.630",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NO",
          "Recovery": "USER",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "HIGH",
          "providerUrgency": "AMBER",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "CONCENTRATED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Amber",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "MODERATE"
        },
        "source": "psirt@paloaltonetworks.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-12T21:15:16.630",
  "references": [
    {
      "source": "psirt@paloaltonetworks.com",
      "url": "https://security.paloaltonetworks.com/CVE-2025-0110"
    }
  ],
  "sourceIdentifier": "psirt@paloaltonetworks.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "psirt@paloaltonetworks.com",
      "type": "Secondary"
    }
  ]
}

CVE-2025-0110 (GCVE-0-2025-0110)

Vulnerability from cvelistv5 – Published: 2025-02-12 21:04 – Updated: 2025-02-19 14:02

Summary

Severity ?

8.6 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber

7.5 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Assigner

palo_alto

References

URL

Tags

https://security.paloaltonetworks.com/CVE-2025-0110

vendor-advisory

Impacted products

	Vendor	Product	Version
	Palo Alto Networks	PAN-OS OpenConfig Plugin	Affected: 1.0.0 , < 2.1.2 (custom)

Credits

Google GDCE

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-0110",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-14T04:55:26.388360Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-19T14:02:03.612Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PAN-OS OpenConfig Plugin",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "changes": [
                {
                  "at": "2.1.2",
                  "status": "unaffected"
                }
              ],
              "lessThan": "2.1.2",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eYour PAN-OS software is vulnerable to this issue only if you enabled the OpenConfig plugin.\u003c/p\u003e\u003cul\u003e\u003cli\u003eOpenConfig plugin version 2.0.1 or later is installed automatically on PAN-OS version 11.0.4 and all later PAN-OS versions.\u003c/li\u003e\u003cli\u003eOpenConfig plugin version 2.0.2 or later is installed automatically on PAN-OS version 10.2.11 and later PAN-OS 10.2 versions.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe OpenConfig plugin is accessible to administrators on the PAN-OS management interface on port 9339.\u003c/p\u003e\u003cp\u003eFollow these steps to check the version of the OpenConfig plugin that you are using:\u003c/p\u003e\u003col\u003e\u003cli\u003eSelect\u0026nbsp;\u003cb\u003eDevice\u003c/b\u003e\u0026nbsp;\u0026gt;\u0026nbsp;\u003cb\u003ePlugin\u003c/b\u003e\u003c/li\u003e\u003cli\u003eCheck the version of the OpenConfig plugin that has a checkmark indicating that it is Currently Installed.\u003c/li\u003e\u003c/ol\u003e\u003cbr\u003e\u003cimg alt=\"\" src=\"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAArwAAAB/BAMAAAD/dwxDAAAABGdBTUEAALGPC/xhBQAAAAFzUkdCAK7OHOkAAAAtUExURfP29/f6++3u7v///93e387Mzf8nA8W6t6Soq2Vrb4OKjvxKLEFHSvOPenmweWfjje8AAB+BSURBVHja7JrPa+PMGcetNLClUJD2zWGP2WGEFbHv4aX0vu8gYcuYkFfI2E7VnMrbQ081Nk627rIYh9hBlGJkYgkdXoRDYuPz9lB6CTK2jI5tL6W3XXbpwX9Dn5H8K7+TfVte3myeOPKMNBrPfPzVM88zSYzjOIaFA8sx4W9UnZ+6UF2c4q5p8ZSe4Tj+F48GFuP+x7bywPHG7megOZYqj2FoiUpwXmKgxM5L3Plmi1PcuYsPXL2//Ou9LMYxU9mxq5IkMeEzz80e/qkx5w6LCwv/wM4uMjP1SvhB2pff3stiU0zw+rJc/uPLlRjFxHCRn42cKnOF3wWhhqKN8LMz+S7Um7m77d+9ae6H7vbX3/7t33e2f72NLaSakCcfy+XSc2ZJsnNtz9V6ydirfS+6u1Xv3lT4obuN/6529275t0tLmzDZn7yTEi8XroDlFtpeBn7NxdCzPP0x4o3/f/DG306dA/UHm8XE5B3zZGvuTGfcYpFHDn0GuzJlyU7PLbULC4D3qwes3p/fU73MHNKmNJlMngPeVcveiuBFvnf7a6htP3/2hp5S4CCd0zfDMUuIH9V7Ub3RmsVtbgLeUmKLWW3GW3NpwlWeuuPt9Wff0RrgZQ+4KyUsazGK94tH37vse6ehAbuZmLzfqZe3uLUm9+pVbLfeW2+4ud52J4l6bxhQr3t6utLtPunJVvWwI56yFyT8NFv++lG9F9XLzvhsFifah8QBVS+XV8jxqVIsnuZzZi+Vqm2xgLfTyuc6jXiq006a9UM5Ws2YuWNeLZd/zzz0yCH0vVgiGGEkSdGLwAFLEib053LkMA1ghQ+vd/7T61WpevPifuf42ZvE6Xb8u3wq/zL0vZ2mmP9GWd12T35m9/aOp+ExDRioj+bWyqD8SL1fPGz1KoGpE10LfMkJ1H7QsUhPCfxUUzDT7kX1zp/vlZ3Je0jcquxqc6W3aqnHzw5OTrf5EO86m9oSa4B3K6/UAW+V4L3ns7BsurKxoXP4HOLevlakeIfpmq24fQk71R6uFMUmbxvkCt87C3x3XUi2Ctxa+9Blu+j4WX2KN3la5YTTLm4fJk+7yiu3V2of7O4xF1OOVfJ5RA7YRojiHRuaZVT7Pcke9pCuik1kjK5JKxgIwH5aKsTrdZdbKZfW2RNWXVPLmrz6Dc8jeOqf5oprR8WVciJe2kpsZYuJ4ix6YOdZBfPwszbqe/E4wuuPseOTfh0f9W2Up3gV8+q0IrQn9dPDXs+lwJinzTChoHEvO9tWWPvzNBoG+wnHMhfTCoa2+hwiB3AO6VpXGhqSbahdCR8pY4rXJGLnusCMYZiVcNPiZUgrts6Gio52byIPy65zUai72ClbDn5pPfbjxHtP3wtLmxC08VAx7ZQHS9sRDvEGgwt4l9TLUEqw0MWmemXnC9fyJsN0u5Jhl7cqwwvs57TnIBH6ooEYHCRE1zMchWsX1RsGvky0tc6yQDcWi/YioQo/tBBJNYwxYvQ8M9+FZM6nbst/DHrccwjVS6muvL3XHvFvou8i/E4o7Rgt0a+Fnlh5zNqW1StRux/e30o32eN+77J6KRH57V/K1HZ7J+Xb7Z834+Ue1XtJvX8P33YyH6Tb7Vd3VC/OqJCHwxv8wjqAZPqGiZwhlzjABQnayRLCGgoPF9P3BV6sEZzRYBGRM2GHGpI1gngt/BTonNZmeOnn8hmNz5BbvzU6TCSTaOOADieshn1KUNJw1EeIVwrnI9FPoyNH0Sxl7Vr1Urzy64k22b8d7x/uqF7FMvdkE21YJhJM3kR9Nd5CSrViVS/hFUw81C23bxVSltrGDaugVMXq1RygW9E/UlTUtYg4QHCDY6lIt47Rhoktn3Yyx9uweS9vDdJW51b1ilabCFab9wRTKQ7xyYYLXbeQ6KGG1eEtW/BtMsPbgIl4Satm+R16HcHkYFQVGMIN6k18KEvZP9FqRpKL4XlZuzdeMldvel9tJDz6hgQ/0cKBK0COU22ULquXHwieXiLd/FmjTGxhtD1IDzeuw3syFgdauoCtDHkxRvQGEFYlaxF9iHND1crM1YvtctyT82a6dLt6U61KtbLf10bpga4FWhvw9ssWSY9QP2vxI00c7HVmeLswEU8/ULNDVR8hg8TDWRowhBvUm6AbOjsANBn4uUHISjfvr94lvKSRMFH6BPAGJ4P4yBOCjO8aB5fxInvD1Q9IN3VmHCNbcfE4beWvw7s/EocqxVtClQqBG6CAKkQvdLsIZEVrM7xODWZuqOkDcqt6U67YtJDiWrrdl/wWxTtCumr0SZ9U5FFRPIsPFngd19PbBA9Qo0vx0lkSA5rfpN6JFuFN+c44wpvvfJp6ww3JNKAEvC98ePiPxoON1lCwrW7VsK/AW9FV3Sb9QBWcAuBFY6XhXIc3AOfQAbxOG1l6NekUoEDxFkc6dT9Ob9FtKkh4PFCy1NvV2xTObLThGt2GjT2f4h0Cr7Gu9oku+6bY5JfwHo083ungAbYraoTXKjRQunCT790B+e58BLwjfTy0t4/7VuPUGiec409UbwE1ZHhsYJpC0/B03xdageI2yBVLfNqhX31XL0gbri2a/FApXYv30BPPEFUvwoHTJHADongrucBxAa+91C2pJDwF5q6iO6h3owkgC+kh+BhPHwFeCxmJIHBBv/wQiWfgZud4TcPDgocHcfjMyDlUkYEMclPkIL+n61tRSo3746Gv2+PAsH3HGB9/ou9VYXh+m64rQjM16CM9Z5ZBHlcsbUikEut0RbMP6uUdp6kUKtfhrfmwtEGvjrV9xg/gBsdWUcUabTQFj6rXni9tvO/HPcNq3bq0UfX6AVF8n7zwFA+fxUcbvqn70Gfc61sD3rfhkS4s4RW9iuPigWjGzwwrG87SsEboNvVKm4A3CF5FeHV7WOn6xU9Tb5KgLK7vC/Ua4gu4WEJCpoDiaq6uXsaLqyhZL5TxfmIflRAc4iSuXs0BeuBpr9XdekLFJWi7Wydwt5okuIaLUFPn3eaKuJqr15L14q3q5Wmb3QIMFQZbRaV4vYrrqkBwMXdAcP2Aj/oI8Wb5AqrxBwjXYJC1XF2j46HtbowcJpmMJr/WwDloKcB7FBxRvMf9wafhfdxzOKfe5Lvs5P3OB+p7pdQwcNqBX6HqvSfekO5Xj1nbJfW+h6wtDMxaUqK1Z3fHzuFJK39o1R7V+z33HCLnAFnbxwUncMHa98naHqh6/3H3f7zMLqtXzkLWVlpwknf/y971/LSN5XE/E7aA5vBeHASt5pCfokSshOOgaVc9BBLEj6YSUDIhEbvay/SyWolhyARoWUEaRBL1MM0kIkY90BBEEvU6c6mQZrpFLRXHdnoYcdzr/A3r334OaeLQou4iP+GHExtDPnz8fd/f3jyHUTxyyWXvvXs/P/+H3q97GHv1jksoHFpgb4vp0yJ7W8gJPv1Nl9U2qnsEkrO6x/gFXVb3maPhrVBM71iOSez99O70kDG4wQfPoLnFYBCAiCC4TYh7EoC/hPwSkEbhFV5HJKBBi5HiaLW6D+oXt+HVbA2HHMoMGIMbcgqfEFDfdAaWscwm+kMQQjltBKvZEmP2aoYkYdU/SP3jgi7bwlXtrVwWy9IBZPJv/5mz6asOhAqVVVIDnL0t3EF+/ad6L+aynhYua2vhshShkheZN//4Y06byi8mUEKp9ErJ84dQLbeCWH0bQOeRvZ8fXi91MfC2EUq9Hy8c/iWwt8MGYxzM4zZkziT4Iz3r6GwVVh2JART20pcX3uGW4IXyagWQOekcmbMB5N4gc+lpojKMru8n+UM9C0BbxQbrlK1IiVNmg71n2Cve3eYkQ/Pwtmd7iukfutlh5F6wdh/YY1tT40nLlhVpyl415VZythlUCq8M9grwArE+QsgdTTLMnA0iMu9eSO27M8NEx85UdDy5s5zYXp2MDwMlEfJsXZuSbdaYvaY24RtNSVubjAO/w39G1BxeAQqPx8HNg83hpanPyl6oEBKI8HL7mchwKrIaHWetk/mdVC7Xe1BIr5aAtjRTA6oCdGPhMHR8V/jIT14zzLPXFPPomBJxmD9xMEFu6z/5thm8107ecDsD0aczDPPld03gnXfMnyRfMYPs52IvdptL8EI0UbWm3NuTI05IpAqjgWLvVi7gTC9ooQSwbu0gpjkgiua/uInbFV50LvAzc+OHFf9XL4J3vS+/uCvg4Mlf3fMUun4cTHdkm8F7cyM4TdE914p5ivkKIKoRvN4TRwZ5T9qGjj8Le82CcABygaAkHIA7D1OWhJuTvbP7q87ZYm8yN+Z0r8ssh/L/A0rKG5RfafTeHnZ3gt2Y2OmrbHezxfR2byX/iM33s0XG64j4b+517Xn8V0V46eG/7Hlz3l8Z+1BTeK8mBuYeRie6qscbzM3xSp5qAG//I0d5xnKy16mTve3TF8BeWZxK7OXWtiKKI+i2wXY2cZ2dLfasRwrjVRtvlUmclW0JqVAbSrsQZ29wpjAfevlmIpVLDyyOHQUnc+ng7Kv0RCJAeapttx72/sjQDxzSXRy8O5QbfMEBstGUvcfHXXsrQXfplTNwK/qy4vgwvIPpAUflyWz+xaMVXfAOrk5/etmrKl2bCM6BWttMbklAQLx7BlDFL5QrLmrYG2lLR8xHbyqpp/NB6sbTm5mHkaD/1fxKjPVzIuDmw649pvtIvotfM96c51fGU3U0Ze/+/CoPbzF/befL6F6kAbxDbx6sM12lbOVIH7zdZccnZ6+KJ7G8tbwF6rdpkBP8cfNC7qCBGRy8z4GS4J13VCOml0fO60+DQVtH9ouoAG/wwEYMVvyejsf9i+DBtIgDHdygndvd/x52Z5nmsvdq9bEALw1uNYbXW322a+PgHXisC156MnEReq+CqCsen8HsBADOWGrgrMuspq2Gyt7+naP5SrZSmXsa7Nwp7bBdInvZdebG8c7E0jHr3jxhvxOXthO2mEs/2Th6xu42Ze/xk9E3T4LuXfZbpgm8nGphY9lAdsihB94Rix7ynkP2QkWAIqzMTaWw3BMDLxQENY11gNQWRoXXExqejznaY6TfZA77Rme8fqepbaY8lmWGQiGXY2zGEgiF/CK8odDUgilGLY6GppvB6w3N0uFAu8Xfx939Tr+z0dLGDFFjs5ADxNkcXjoVLX16zUGSmgDh6gBfuibBxc8QyKsZ7h/TlAyJBcbaTlA0Ezn72R892WhgXtE6rTZax4dr1Wq7XtVFzJbZC4BMP0jICCqCFXOnYzovXtwGNU4HjVlRx6qCVup/1CgmkxTzyWUvUEACkFg7xD00soAAGM4IqAoZUCrilO5R/6f+3ou02qBYeQmRM/D74YgoK4QwBEQazsIzTXawPluKmCAvu0vnfP5eTi9bOz08fQdUk1eVCxBz5oAaaYCkXmcStzn2UgZ7cZeORFby/uH7tSWg9s4S8ZSrjokajVhSNHB9gz9N0XuBwV5zmxprg+b77zPlGR5eV9yngObiVGHh8Pi6RvWV/i2yqgGkpi+K7KWtBnsVo5jfXKeZcmaf162qmW0l/pZJlYSjlvLUh+05DXtFeEmrwV7ZISlI09uHmURf2YbQlRwZcY0umsPW2ZgrR9hdS0RoqW87ZI6PSDJZNTYkX5ugJgsSWmav1Wawl2evsjrdPqxOmco2gLo2UP9coTy5la2m54qIyKzOFtLjhXRXal+OD0vxDTnRQTU1hD5mNJ/nYDPYK+i9UnsG8OfTTMJV5lQADt7O5UR0JZ7fv57ZRab9K6UXk6FSpHO0iOtkdd3pCnsJg72y1SbSkFxbLWdKHE4du6h/fH0yHeObQWWRpdRd+sUdKk50sQv1O0fi7116eFvUHETJy3fRW+M1B26fLDirHburER8Hb6Jg3zroEuHt3PQ1Yy9EBntrjWIJJjOn98bf8grWJJvoZXNX2GKpd53bn9hxPubgnezMbNdryqkADSSrjTLYW+PSEfTXO6e/P38nxN4I1LHOzYJlzJ0hrn/ERGBfbfMiOdEg3pQaiFYbbbC31qXDI2ax3z/0SUpXz/TZNKcr1QXMUlbQldvUi++Qlx3e1n0Oitfhznsgew/UbCc1VgnUCEZNMpTqTTNkrxbeOnl5AMt+BLVhH4nrUM17wj0UHHs58lIGexWfA6gNUGpdNXJUAqghC1gnOxLWxNpIn8FejL0QY6AIqRCDV+xeIPIUANzVCzSKGYTK0ka7XFMGe6UcM97dqLgPMA8v1AYu5MdTQPShDEk51sYJh7kFg70eKQlKUgNIq6i9AiyIBlQpiy129c0KCV5B711eMNirBIPEOM7aex9AasdTALVPsFCTHEBdg01jFPdNGewV9V4gyFoA+5ZCS6D2hgeYEFA86VBpOo0bbALQpCQcLu3Sds5oBYLhv74N8zibfcgplaxIDw2CqlgGmPaGZHeFqiAL7KUNvVdrVgj4xdcWwzxS3VmUAY0DE7Cm9amw6JF2jL2G3ou5dATNNRyyhvkngFiyaJQMWV0z7aM+1wy3NzpVa3woaSWYIgHDMRsyPGY17FWfrzK2NDLm416YsjDqLifL5c5qKZNyp5LlZI1qXFNvJR6wxOPTCKvKRLTOMUzpHhb9p1LDtO7hRfrPtek/1QwIRdWCyBSLOZdE9q5O2PsOVgYCB+WRlXB+26c6ceqIConGHLwLeO/0iykjvZDRyl9gb+GyVkJesHg3pPPObJxD0sTBuwI6DuL99oPJQjq+GM1BOV1Pa7VpbAtymWev7JC8/fyjxk8ESfLNlvmJsPKbMNnlPeVgvUn4AdLa7FxCc4b0G87+APbr+el2aw9zxCqwCdO78Azg4CVWg76xkpOD1x6N2EfsZazEFQDMotAUBY3FCNVj9vW9jxrf1H+yp0nvI0A5XHz6Hxiquay18bnft9SNRFJiBe0LwjuhdwS0nBxnOthEZYeDN13oYPcrOajJk1Y0Mq1Zwbd2UITD1/88/Yjx28fCC84Pb5PxfQsf7B6BFNnAY9X+NiaptgQQbGO+nQYiVaJCePbZpAB3/Srw/sTfWbwE4idCaBZQM8kHfWff/dM3PEBA6M0Ohabs4tYKDhcF79+FP9ra6BNJk/Nn4r/cnctv2loawM9nmQlBXRxzE010V7YFIqDM/+BYpDyUSjQKQ2Ay0uhuZ5NGYSBRKlFEFEBddCJQEtQFtUCAlWVv15kqVR5iNbpVRyPd/2X8wPYxIeC0eXTKggRjCP7l4zvf+5BOLWaov/6GiGJeTAxqMABbBb6m9CKiyNfItf35V2uAPTZ+Ud5HYYRBn2fPIP1JQX2kPaXeqZuOqHiv3bDBAT8u3l+QvimCfkXGcH79srD2i/4kRhS5maO+rwcylzBbMdlwQBjMXk4wLAcYxHt/IvFeV4mOONjxwggOFPs4eOEff3N8LvUBkeWko2rIwNgiF4iiVJv5a+WNzZiDgvfpKLx0Xr/mtS2EZjcQipYGHAL7iv5QDvr3WRMvjObgKivnofnAhmJFuIXxeCHCl8tbW4hKPhpeZmh7Z6K8l7EFeIZ8CrDYki83dO/T9yP+nudI4+G6OmbR7imij08EjQPVO9lA8XOE1nvSCOm1cQg23iovCsalNkLTifF4qRNe7tUvWfryLnWv8y/FB3S9M21opMBQwxW+cWqGvuqp0vuThpfOJ5byQmCPThWpfCJacq2V1ve3XPsimiukBerqFM19DDZ1vC1PE1XPEXXkP5uEd7q4sJVYmg+1LwTkDq+VxuF1v2VRrNRPhBzipQXn0ht2LL2DwAH90tgDGkYk0bBl6loJeGzvdQNSegd9bZW1q8vgUbvRC11d7XbPd18fKHqzIqClU+SR3Kc6XnahgMRDRNepiXiD7dfx5vZyqHO5gZ5krhrsGLzpdRZthxtvlnvO8EY3HEsvXWad4tW3/2Ein18mCHtBNxewVWtqdmZaE3Ss5JB+ZxX/P32/LvbSvk8XO11pd1mcry3sSNvLK+eV+P5xwqXoAdcpmpamTgdrUE/5sIeI+kR9mii9l281vK3D0PFCRqoIoywMHe/M0QJLHdG1i0bFEV5adi690bZT6R3oWZwSAv+mEGBiqboew8GEsQvXngKwpHebraT584v8WnN9HbmlJ9V36eXE+fKlmGSXixpez4HnjY43dIA0vIf0ZOUgBeWm1vRKJ59kmtvCzdI71e+fTX2ka7tn247wzrdZp9JLVTYd6V4w625wDujf8ltamR4GW8eP0e5u9mgx9vFPxNAt03J4vyw01gNnF3S0ub6wsVZbVmUucb6+x2L6gp8SXKeu5NnCho73ROSLCt5Sb/7jRLyF5fLBawXvIUIT8CJqQVgo0LXpgiO81E7CseUQ6IAj6QXDawOcE/z/KZcLjKIKbf1VGJHOL5DtQcAM/wcs6XX3D3b7xfX+mpQO9GsnF55COpY43+3V0HS/v1t4289Ir690Di5FzM7W+wefYv3EJLyh/hXdP1bwvpZUvOlxeNECu8vSNYR2JuOlspGOU8thanV7w6HlwJj54MjWy521rgTU8RFirGIomFocqug1IGOiUV4Nman/Bkt6kbKssIMICWVGShrRmhU80X0DwYyksJhFk/BSZoQLERub3YDXoYOnSe9OpejI7lW8tim560CN6LrXnEdCv/wcjawWGbfE85jnw0gUkU+Y8cVXdOvXNm0LwNa9rQ5+iJDZCs3ujV//k7FLYXgZEtA1V3eAFzs2ULEt2AVf47XNO0KmSS9VLTl1K8zdnOlkMplP5jaZqTobR62qvNKQw3LHI1c6cG3AgAXWfDyTIrMVI90Kx97rH74qYgbf5BRTK869Nj/rFK/pNQS+5HJlPicw3mo7g+rdQOssXpZiwWI8YavDATxcl6Yr6plc7sUEr+3u8eKbGd9bxOxWXpt5e6aY93o2iK4qeMt0619u+cV07Hl8kag0s1VF2Y7Zc233hBfQt7ztI8QcjDQP8wwYuuRfAcYl7KT5eneq9TFULsaCi/HnZgzNtukr8VA7EMlxDy69Y7TD9yK9AyPsGc/7ixEBsFsdh1XrHa9eNXy9o+nF0BEMbDcj9IgxJiYWGWVoFEtkKybjxXePF31feHW7V+OLmD/9/vt/V1KcIoo+FvF8mfd+ZDHPekHb/pnBzNCczsEG5tZcGLDHHG7PAX48vFZkjBfD0eyeUZmO9xnvP/U0BmBrL2j7XCgr2mb0Z6h4/Ul2JF64e+UAk/A609UzTk7S0hK31b1ArP8/0fmiqSuI1uHhlIWZ2yACvVZ9rzeZWoX70b3w2NILqvRSt9K9etRBD32ZIQhLIu1pS6KOz57KBHOG5Gwym3WKF9s54NF48fenHLBD6cVjp6OTUXUgrF1s6xPAxAlemE1lk3civfj6ddBjzF54KOm9leWAyVC5Pa8+Zu7/jccocGVTKt5fHe8+MGLjp6fjdC84U6rfy9JmVfguJVni+w/jkTLDJdaDXJuqHDj/079/Sw3Uhx/FcsB6nYIe8sqlNm09WDYnjRiqZQbK4FokQtG92VRKkd7HLYL6brw2onjftendGqxmYDQNYqvcydwDxJplhu2qGBnSC/5bbBqUHXFM/BGk14o5aNLpT+AkYHunFZE4tmRWr0Yn50iaCtsLrpSqe5VlR113tDu9QMd2h6wnQSBOs84daWbcZ8TsDvHi624FxlRkK5wT9VwbYgjrFzHYSPpoxGc4rYyJIw1itbJXdeC8qnJIcv6HETP8INIL3yK9RmwGIjn1xgFdY2bqGstNHWqMiz03bQvlx8+v8Mlly31gxnbUt9h0S1ibBPXHpC69g4sH60MCeQwP3CCbe4WN024QCXqSyH5lQBIm+oC30b14SPfqHUBLnHLJEYFxXYHnE2YxRbURxVEUE+MPMa+mXTAPiAcq9Ap3qAr/nFJjEhTPUOq5LZ9AsV5Wld5sCvykKzn8ZccETa2ET//gAKONXeLx/5HuxbYqHWUFW+LoLfCzMNtIpOvxhl8uH5fkVkbGsVjBJeeb7hczvWZZTmR6r7wdxlNqVuvuRkeW2WrXL+cb8ma1E+8qlkMqmQX/aCHDFitsHhacaNJRHOBh8GK79P5yO8vB6HZX8Aa+ID/LzB62DuvhdKYk1udb1fQKEzvmgsl2Lbg4E65Vo616SMGL59oHqzvLS7VubK8Wz2wp5+7VfNWwaphlDd0LpqBiowSV+MRgcSA1Ah6jXR9GeuGu3QrdqeBcnxXpZWhJluqBSk5OtELdbprBsXQhVm51q0Dn6+XZtuRRlAP8vHew1gvmi+258rtQXhZrc+Umk2krutcuvTDuo+OvU5KPavfeojqd9NpwhKM3kZ9jZpvpRL2b2Yy+aYeKfEZZ2nyHMVGM1ZjQnoq3puLF6WSrsx3cF9tz+83QZlSqufcliq7ypvTir+CA71BJ3pfuvVVvhZUyU/B6BRzgGPqdD+pyJS83e3tyNwM4xqV3ZMnTZDxdBW9L7r1CPbnjqh/1gnK7PVeU5Wi1IOdLcrcq84rdm0yB//E53JP0/uWWnUG6U6a4ChFO+epGFsG7yGDRH+bDnI9dEn0M4wOaDwvTzxlqVeC9rC/MYl9Y8ArhcMbXVg+IVJj185xP9IlqxCyXvBe88DB4J3yDRNHxpsY+ERH7KERUdfGFMwORiKgsVRa/DNIPktsEBI8lw+7VshqqWzGTVHWvGe0Bo2BVL6kwB0gZDxmGYwwnHBvzpIbrKIxIvndUQAmswlgyUMIxtjHOQPZDD4o/0cAP9eL/De0iRUG0QVhE/xTYYCUagHdlwofDmcBBzgALAfSTHQSQpiegAw/Aviwj0hI+SKdYIDQ0YPSeYggAALuKtpPkcwyjAAAAAElFTkSuQmCC\"\u003e"
            }
          ],
          "value": "Your PAN-OS software is vulnerable to this issue only if you enabled the OpenConfig plugin.\n\n  *  OpenConfig plugin version 2.0.1 or later is installed automatically on PAN-OS version 11.0.4 and all later PAN-OS versions.\n  *  OpenConfig plugin version 2.0.2 or later is installed automatically on PAN-OS version 10.2.11 and later PAN-OS 10.2 versions.\n\n\nThe OpenConfig plugin is accessible to administrators on the PAN-OS management interface on port 9339.\n\nFollow these steps to check the version of the OpenConfig plugin that you are using:\n\n  *  Select\u00a0Device\u00a0\u003e\u00a0Plugin\n  *  Check the version of the OpenConfig plugin that has a checkmark indicating that it is Currently Installed."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Google GDCE"
        }
      ],
      "datePublic": "2025-02-12T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA command injection vulnerability in the Palo Alto Networks PAN-OS OpenConfig plugin enables an authenticated administrator with the ability to make gNMI requests to the PAN-OS management web interface to bypass system restrictions and run arbitrary commands. The commands are run as the \u201c__openconfig\u201d user (which has the Device Administrator role) on the firewall.\u003c/p\u003eYou can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431\"\u003ebest practices deployment guidelines\u003c/a\u003e."
            }
          ],
          "value": "A command injection vulnerability in the Palo Alto Networks PAN-OS OpenConfig plugin enables an authenticated administrator with the ability to make gNMI requests to the PAN-OS management web interface to bypass system restrictions and run arbitrary commands. The commands are run as the \u201c__openconfig\u201d user (which has the Device Administrator role) on the firewall.\n\nYou can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended  best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 ."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
            }
          ],
          "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-88",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-88 OS Command Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "USER",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "CONCENTRATED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "The risk is highest when you allow access to the management interface from external IP addresses on the internet."
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "USER",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "CONCENTRATED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "You can reduce the risk of exploitation by restricting access to a jump box that is the only system allowed to access the management interface. This will ensure that attacks can succeed only if they obtain privileged access through those specified IP addresses."
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-12T21:04:42.675Z",
        "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
        "shortName": "palo_alto"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.paloaltonetworks.com/CVE-2025-0110"
        }
      ],
      "solutions": [
        {
          "lang": "eng",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThis issue is fixed in PAN-OS OpenConfig plugin 2.1.2 and all later PAN-OS OpenConfig plugin versions. You can update the OpenConfig plugin without updating your PAN-OS version by following our \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-upgrade/upgrade-panorama-plugins/upgrade-a-panorama-plugin\"\u003eprocess for upgrading Panorama plugins\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eOpenConfig Plugin 2.1.2 is available by default on PAN-OS 11.2.5 and all later PAN-OS versions.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
            }
          ],
          "value": "This issue is fixed in PAN-OS OpenConfig plugin 2.1.2 and all later PAN-OS OpenConfig plugin versions. You can update the OpenConfig plugin without updating your PAN-OS version by following our  process for upgrading Panorama plugins https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-upgrade/upgrade-panorama-plugins/upgrade-a-panorama-plugin .\n\nOpenConfig Plugin 2.1.2 is available by default on PAN-OS 11.2.5 and all later PAN-OS versions."
        }
      ],
      "source": {
        "defect": [
          "PLUG-18615"
        ],
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-02-12T17:00:00.000Z",
          "value": "Initial Publication"
        }
      ],
      "title": "PAN-OS OpenConfig Plugin: Command Injection Vulnerability in OpenConfig Plugin",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003cb\u003eRecommended mitigation\u003c/b\u003e\u2014The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431\"\u003ebest practices deployment guidelines\u003c/a\u003e. Specifically, you should restrict management interface access to only trusted internal IP addresses.\u003c/p\u003e\u003cp\u003eReview information about how to secure management access to your Palo Alto Networks firewalls:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePalo Alto Networks LIVEcommunity article:\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431\"\u003ehttps://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431\u003c/a\u003e\u003c/li\u003e\u003cli\u003ePalo Alto Networks official and detailed technical documentation:\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices\"\u003ehttps://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices\"\u003e\u003c/a\u003e\u003c/p\u003eIf you do not use the OpenConfig plugin, disable or uninstall it by following these steps:\u003cbr\u003e\u003col\u003e\u003cli\u003eSelect \u003cb\u003eDevice\u003c/b\u003e \u0026gt; \u003cb\u003ePlugins\u003c/b\u003e.\u003c/li\u003e\u003cli\u003e\u003cb\u003eLocate the installed\u003c/b\u003e OpenConfig plugin.\u003c/li\u003e\u003cli\u003e\u003cb\u003eRemove Config\u003c/b\u003e to disable the OpenConfig plugin\u003cbr\u003eOR\u003cbr\u003e\u003cb\u003eUninstall\u003c/b\u003e the OpenConfig plugin.\u003c/li\u003e\u003c/ol\u003e\u003cbr\u003e\u003cimg alt=\"\" src=\"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAArwAAABACAMAAADPq1Q6AAAA81BMVEXs9Pf////r7/H19fX09fXa3d/p8vXp8PPu9fj/JBju2drs+Pzv9/n09vb9QDb2j4vr8/bk7vLx+fvQ4/Hq3t6/2O1BREXk7O3R2dtKTU02OTnZ4uPb6vTf6eqgxeb1ko79Qzng5ec+idD3hoH+OzBhZWaxz+qIjo9dnNdupttWWVr5+/zM0tWlq60rfcyssrSOuuLTuYMygc7R3ty0urxPk9S8w8ZscHF/sd+do6XNjpB/hIa528Z3e32Oxp3Ey86WnJ4gdslvt3+EwZR5vInWxZrg2cLVqavFr27dwcSj0LEiIyRaqmbv8fP/Jhqcimb9PjOUf+3QAAAL4klEQVR42uybCXOjOBbH2Z4G1DPsDkcQiMPdMMMZMI6DOYoQbOeoVNLTM9//0+yTcdJJJ+kjMdnKNipX/ARCf5B+fn7Sc5h/DV722f1RY9QYQIMZ4R01Xi28b4cuv/zlvP1l1PjZNP7699DlrcO8GctYhijOr8OWvTdvmOELZ3Ojxk+ngd7/858hyz8f9uwXgJdn+VHjp9Ng3r/79G648unThz12hHfUGAjeT3/+8ftQ5f2HEd5RY0jP++feb4OV39+N8I4aQ8L7Kxqq/9/+eBq8SLh7SwihG+vLI3cH65stnz8h6HaPX1R2OOmo7xz6RLvq/f8TXvQDM/xA0y9Zey68iM272w+P7ETnUW/1vSHt+sidwUKcnjh9Q5HV+lPm9siuJoRndZ291uYT2yx4JPQ1Xd/ZpCOwqJKuOze62gjvA/AyiqJY38kVp6gKd5cGTvWV74F3S33/dsdGt87CqyPxUkLMjcvpYowbiVpJHPMbuks4YqN7YAUYk4JeyddGtkEqJZjkaHcTglhsYNya/Y0nOMuIxqYbdbH0AOpnOcjPkx5g3YkNw7gKOmMJXQr59oFGeO/Cq8yn83nF39By65vrCxspEbSNrM/fZcBuNQ9VdO/ie/AiXgOHyCNJoldrMM9bG4GNqAlnN8dLz6E3w9uiTDvly1JPjUKgVF+Rzag0JCmM+kt4UYEz3fN4SrFxlcJcIx0HbINNtDt4daNmM+CJFxmet1M2xVpOeqdY5BxPH2YHoUluXCWMnuiAbHdl6AjZ8VUqDwUWJw4P7wAaPbzTiTJb+QIjgU/l4K/QAybxFCfQ5RAniXROpHA+UfxKEcS+KScBz9OJxMF4S5IgfAVeLiu9wLGbZenliG28tuODoPQy5ARemUtLz1vyegu2nhmkaZdSUnplANOG+JyVdSMHePMgoPAiB9ey0Hr8PbByXg5iuHctyDCFV6ixA9fuxGfdwJvvm3jZNQ5Kl3aTpLjzrtqCRl51bQaB5xXouZOOEhLgRIAum1gqsNHAgxjGUPCKZn6IBoZ3EI0tvL4MCFpVGKpcVYXRJFxMkFUtwokSqYJU+Wq0iBTECD4gTpcQSrQIVWZSRYuZFa3CKPK52WIRTbhH4UWFEWSkMQ0vKwlbxkXjmZikJXYaktV5bdQ1rrurNsVtgmkbEyAnsWk7tgghdUBYeHZRWG7g1XEugKndm3SEDkmwGSRpAy8KYg5peLlTeL0mJmyGWdR6ppGnWG+NVLcdR2xLOJnFsfRcDdtrdYB3E5bIBVniziQBGQheka2DZGB4h9Ho4V1Vk9BVItevForrTuarWTi3IndSTf1FhNSp74ZqGHGMMJtaNECwFgs/ggtWs2qlzuDq6Uydzmar2eOeV2hiXq5JYmT7nZEaXtCShCz3CwxzIwsobgW59QpD3288zQv269gsG9ZrzDJuIbZNcR+3fgNeBpme16/PtAHhDUqcZuQGXq0mvNbGJQvw4nw/NZ6+Quw1uAAXBc7BbGNNKAh8B8GHdyh4nWWba8yw8A6jsYXXXU1Va7qooqnqVnLlIn/qzycy51aTuRKF/iqsQtdCW3gFdapSVx2FgjWfqHMFuTN1rvpzVfgKvJ4ow1eskcsJwBtkWeGQWgZ4cQqRbdwIckPhlQPP9hqA114aEELwXZHwwG4GDh86l5eEY5D8SNgA7JaeKTDgqRF4XpkR5GHCBqGMAV7hFrxcUnQ8wEtyOXsuvEjzDIKvSAcjlQkAr95BBM8PBK+Wtakz8IJtII3rmHeymljTaDLxLbcSAF51TuFlFhHUgc/VbDJRuZuwwZ8qgrWBV6LwqqI7s9z5YsZ9xfPCkov1PNYITFhIx62ZFDam8Haep3cdrMAgzus+w0ucBgepTiMBsTaaJLGTVOKdALO8ntoN6R5asJkezhNdSjuk6cbS5rNimAVbgdvCyBKyhTfFiUNj3o3nfT68jOiwbAeelwPHiyi8KGi1IeCFRZRUNLvn6oU0rmNeVE3VRagoN/Buqv50IlQr11LmlaWqIvizBV2wRT7UZ1N1C++UwqvMF5UvPQ4v0hpC4s4xSEwyVMSEBHacyl2sd2DXbElIaXZEl5elXQZy6tGAIcY6OFGWXBmGkS2JqXvYiIsM6+aDW2VCTRt6SRygOjZwa3oNygbZKit1rTTiuHVIkcVaQuCR4FTTHMaFnBP7mfDST6wZJzL4cbrFEuuIlxAf73qrDNl5YhfNcoAU6Mto9PC6vmCFob9w3chazIRZiFRXURfuPJIgRJghZuK6LvWrSAnn83lk9fUqEqSFD03FBYQNYTiPxMd3GxCvJzYyYW1jbtMOjKkh3uT7FISk61Jfc0THRpqjG6mZGjTK7zfrbVvneGpoWt/8gSSFTc+zPGszDjU4FnzgrpMUXJ+kQFrCag5nSpopiqa+CehshzclJJniDjwWHQrJ5HuL7kOKprZzsOqgboNEHBTeATX6JIUFUpIiSorCIUtiJIvhLLBolREt6k+pvU1SbI5CHQ5a9Cw0ZSxp5ipKGIpfT1IgWEcXcp+SQH1eAt3YN7X+JQVxHNfXjmibBLxtPOyx0PX1W2OY9PD1rTB3NLap3B3s8257Qbe323efHub0ZRkkQ6QTXkZjmx7ux0Y7Oj4+2qa2bk3J3YwFQvfgoxb4aXeTq3gc3s2eifO9z4E4U3eeMOmvPGv0ohqcng3C1Qtp3P5hjnS0Xq9Pj57WlQBuW0LMt+D9Ebf0Az5zhPdpGuLO814vqfEZXpGzT04OD9eX2tO0HkLtqb8qG8EaNX4AXtG+PDn9eCnZpx9PLnf2jzsjvKPGC8DLX56enhwfivzR8Xp9xI3wjhqvB17t9NjkIDgROefs4/ETI4cR3lHjfwGvdLI+PpIY7fz87OLvi/NzbYR31Hgt8HJHx6enh/z5wcHB2cHFwcH5CO+o8VrgZSDaXV9q58AtLRcjvKPGK4PXPLs4o+zCmzbCO2q8nrBhvT7asLu3RyOHczTCO2q8kgXb6frk6PAC4D3b24O/F3sjvKPGa4EXAl7paH2xDRsO/tveGfW2CYNR1GslYBnrTB3EQx13YRPC0oQYHVKEEFJiKgqKkv7/XzObtOn6sm5TKUG79yUmJDovR9bH59i5fZXj8SAvGG8ib7VYKHV7p8XtqwY8sIExmZq329T1tju0yr6jVQbGhOSlV51S1U2/SHF3i0UKMCYkrzmcoV8eptrfgFICecGYjrzH0NfbXw95wXhbeV8xkBeME5TXcV0H8oIxRXk9s9stgLxgTE9ep6w3f/KbdcgLxuDy9qdZHOuA562Go9m2Rb3+FrXsanNzVSuPQl4wRpaXpcwhdnrYuO4w+WwHO384rcCTkW8O5iWLTqmtsmm1Vd0L52tAXjCGltdf+y7hycocZuc4LI/6weGpzIv1PfM2D9Mo0ZI75aZWqqSkrFTd2ZAXjPHl9bKU+77wqR3xw4AwEXl+ljJLX1k8FL28brVZ2GYrPrWDqg4gLxgnIa9I8jyJeBiJdR4mvh/GuZDrcCXCPBFP8m7NbjdCg7bZ79u5BXnBOAV51z4PJc8ikejBylzafiJsxnicswd5nVLVdUnpvCn6zCzIC8aY8uoqlyepCDmJYyNv6Dm5ZHkSM5ZFLlvJ7CgvodZNXdnLpmjmZ8u2KOaQF4zx5OWZtBw9z2p56aO8JJdUF7xSy0vjPJK/yntVK7stmsCi1pl+hbxgjCevk67zeB1bIuvlTSKRGXkjmZoTz/M0z9MwZMdugykb7KaYzdq2/aarB8gLxojyWpGUgrt+6hEReSnzU0sPdLWQchJJ4cuVEDz1mb5/eGBblPtirkuGoplBXjBGlZe4rmnsmpU21/wfST8wvV730OzVw8e3iatqj5b1HjMvGKch71+k7/NWmx+oecGYnLxOtzHLw0/dht98HfKCcVryBl2lVGk99HmbmY2ZF4yJyGt6Zf1ut2WrJ1+ssIExqrzzD/+Yy8vLFz4BecEYUt7d1y+fhsr15x3kBWPAmXf3frDsdrsLyAvGQAx6fX8xZO7NzHs2fJZg/IeM5WzYzIMlOUeQQfJx4Jyfk3cIMtH8BHxMPfXmiPFxAAAAAElFTkSuQmCC\"\u003e"
            }
          ],
          "value": "Recommended mitigation\u2014The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our  https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 \n  *  Palo Alto Networks official and detailed technical documentation: https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices \n\n\n  https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices \n\nIf you do not use the OpenConfig plugin, disable or uninstall it by following these steps:\n  *  Select Device \u003e Plugins.\n  *  Locate the installed OpenConfig plugin.\n  *  Remove Config to disable the OpenConfig plugin\nOR\nUninstall the OpenConfig plugin."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
    "assignerShortName": "palo_alto",
    "cveId": "CVE-2025-0110",
    "datePublished": "2025-02-12T21:04:42.675Z",
    "dateReserved": "2024-12-20T23:23:12.347Z",
    "dateUpdated": "2025-02-19T14:02:03.612Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

FKIE_CVE-2025-0110

CVE-2025-0110 (GCVE-0-2025-0110)

Tags

Sightings

Nomenclature