Palo Alto Networks ‘ PAN-OS software has fixed a high-severity security weakness that could lead to an authentication pass.
The risk, tracked as CVE-2025-0108, carries a CVSS report of 7.8 out of 10.0. The report, however, drops to 5.1 if exposure to the control software is restricted to a jump field.
An unauthenticated perpetrator can summon specific PHP scripts using an verification bypass in Palo Alto Networks ‘ PAN-OS software, according to an expert from the company.
” While using these PHP code does not allow for remote code murder, PAN-OS’s integrity and confidentiality may be compromised.”
The following types are affected by the risk:
- PAN-OS 11.2 <, 11.2.4-h4 ( Fixed in >, = 11.2.4-h4 )
- PAN-OS 11.1 <, 11.1.6-h1 ( Fixed in >, = 11.1.6-h1 )
- PAN-OS 11.0 ( Upgrade to a supported fixed version as it has reached end-of-life status on November 17, 2024 )
- PAN-OS 10.2 <, 10.2.13-h3 ( Fixed in >, = 10.2.13-h3
- PAN-OS 10.1 <, 10.1.14-h9 ( Fixed in >, = 10.1.14-h9 )
Adam Kues, a scholar responsible for discovering and reporting the security flaw, claimed a conflict between the interface’s Nginx and Apache components ‘ handling of incoming calls, which led to a directory traversal attack.
Additionally, Palo Alto Networks has distributed changes to fix two more bugs.
- CVE-2025-0109 ( CVSS score: 5.5 )- An unauthenticated file deletion vulnerability in the Palo Alto Networks PAN-OS management web interface that enables an attacker with network access to the management web interface to delete certain files as the “nobody” user, including limited logs and configuration files ( Fixed in PAN-OS versions 11.2.4-h4, 11.1.6-h1, 10.2.13-h3, and 10.1.14-h9 )
- ( CVSS score: 7.3 )- A command injection vulnerability in the Palo Alto Networks PAN-OS OpenConfig plugin that allows an authenticated administrator to send gNMI requests to the PAN-OS management web interface to bypass system restrictions and execute arbitrary commands ( Fixed in PAN-OS OpenConfig Plugin version 2.1.2.
It’s highly recommended to delete access to the administration software from the internet or any dirty network to reduce the risk posed by the vulnerability. Users who don’t use OpenConfig have the option of removing the plugin from their circumstances either manually or automatically.