Advisories

CERT-In Advisory CIAD-2025-0010

Multiple vulnerabilities in Web Management Interface of PAN-OS

Original Issue Date: February 27, 2025

Severity Rating: High

Software Affected

PAN-OS 11.2 versions prior to

11.2.4-h4
11.2.5

PAN-OS 11.1 versions prior to

11.1.6-h1
11.1.4-h13
11.1.2-h18

PAN-OS 10.2 versions prior to

10.2.13-h3
10.2.12-h6
10.2.11-h12
10.2.10-h14
10.2.9-h21
10.2.8-h21
10.2.7-h24

PAN-OS 10.1 versions prior to 10.1.14-h9
PAN-OS OpenConfig Plugin versions prior to 2.1.2
Cortex XDR Agent

8.6
8.5
8.4
8.3-CE

Cortex XDR Broker VM versions prior to 26.0.116
Prisma Access
Cloud NGFW

Overview

Multiple Vulnerabilities have been reported in Web Management Interface of PAN-OS and Cortex XDR Agent. An attacker with network access to the management web interface could exploit these vulnerabilities to execute arbitrary commands or obtain sensitive information, read & delete certain files, which may be used for further attacks and to perform malicious activity.

Target Audience:
Large enterprises, Managed Security Service Providers, Telecoms and ISPs, Cloud Providers and Industries with complex or highly regulated IT environments.

Risk Assessment:
Critical risks on confidentiality, integrity, and availability of the systems.

Impact Assessment:
Unauthorized access to sensitive information, compromise of integrity and confidentiality.

Description

The Palo Alto PAN-OS Web Management Interface is a graphical user interface (GUI) that allows administrators to configure, manage, and monitor the Palo Alto Networks firewall through a web browser.

1. Unauthenticated File Deletion Vulnerability ( CVE-2025-0109   )

This vulnerability allows a remote attacker with network access to the management web interface to delete certain files as the "nobody" user; this includes limited logs and configuration files but does not include system files.

2. Command Injection Vulnerability in OpenConfig Plugin ( CVE-2025-0110   )

This vulnerability allows a remote attacker to make gNMI requests to the PAN-OS management web interface to bypass system restrictions and run arbitrary commands. The commands are run as the "__openconfig" user (which has the Device Administrator role) on the firewall.

3. Privilege Escalation Vulnerability in Cortex XDR agent ( CVE-2025-0112   )

This vulnerability allows an attacker non-administrative privileges to leverage by malware to disable the Cortex XDR agent and then perform malicious activity.

4. Security Bypass Vulnerability in Cortex XDR Broker VM ( CVE-2025-0113   )

This vulnerability allows an unauthenticated attacker with network access to read files sent for analysis and logs transmitted by the Cortex XDR Agent to the Cortex XDR server, caused by a problem with the network isolation mechanism.

Solution

It is recommended to secure access to your management interface and apply appropriate security updates as mentioned in:
https://securityadvisories.paloaltonetworks.com/

Workaround

Restricting access to the management web interface to only trusted internal IP addresses.

Vendor Information

Palo Alto Networks
https://security.paloaltonetworks.com/CVE-2025-0109
https://security.paloaltonetworks.com/CVE-2025-0110
https://security.paloaltonetworks.com/CVE-2025-0112
https://security.paloaltonetworks.com/CVE-2025-0113

References

CVE Name
CVE-2025-0109
CVE-2025-0110
CVE-2025-0112
CVE-2025-0113

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-22902657

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India