CVE-2025-0111:
Authenticated file read vulnerability in the PAN-OS management web interface could allow an authenticated remote attacker with network access to read files on the PAN-OS filesystem that are readable by the nobody user. The risk is greatest if the management interface is exposed to the internet or an untrusted network. This issue does not affect Cloud NGFW or Prisma Access.
Score
A numerical rating that indicates how dangerous this vulnerability is.
6.5Medium- Published Date:Feb 12, 2025
- CISA KEV Date:Feb 20, 2025
- Industries Affected:20
8 DaysThreat Predictions
- EPSS Score:3.7
- EPSS Percentile:88%
Exploitability
- Score:2.8
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:LOW
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:3.6
- Confidentiality Impact:HIGH
- Integrity Impact:NONE
- Availability Impact:NONE
Description Preview
Authenticated file read vulnerability in the PAN-OS management web interface could allow an authenticated remote attacker with network access to read files on the PAN-OS filesystem that are readable by the nobody user. The risk is greatest if the management interface is exposed to the internet or an untrusted network. This issue does not affect Cloud NGFW or Prisma Access.
Overview
This CVE (CVE-2025-0111) is categorized as CWE-73 External Control of File Name or Path and is described as an authenticated file read vulnerability affecting PAN-OS, with exploitation requiring network access to the management web interface. The impact is notable for files read by the nobody user, and the CVSS assessments include a high base score of 7.1 (CVSS v4.0) reflecting remote, unauthenticated exposure under certain conditions, and a secondary metric indicating medium severity with higher privileges required in some contexts. The vulnerability affects multiple PAN-OS lines across versions with a fix in newer builds; the highest risk remains when management access is reachable from external networks. Palo Alto Networks notes that the vulnerability does not impact Cloud NGFW or Prisma Access. Exploit attempts have been observed chaining this vulnerability with other PAN-OS web management interface flaws on unsecured devices.
Remediation
- Mitigation starts with restricting access to the management interface to trusted internal IP addresses or via a jump box, thereby limiting exposure to the management web interface. In terms of patching, upgrade to fixed PAN-OS releases as indicated: for PAN-OS 10.1, upgrade to 10.1.14-h9 or later; for PAN-OS 10.2, upgrade to 10.2.13-h3 or later (note that 10.2.7-h24, 10.2.8-h21, 10.2.9-h21, 10.2.12-h6, 10.2.13-h3 are cited as the progression endpoints); for PAN-OS 11.x, upgrade to 11.1.6-h1 or later (11.1.2-h18 or later for 11.1.x); and for PAN-OS 11.2, upgrade to 11.2.4-h4 or later. It is also important to note that PAN-OS 11.0 is end-of-life, and no further fixes are planned for that release; if possible, migrate to a supported fixed version. Additional guidance recommends securing management access following best practices and leveraging Threat Prevention features where applicable.
References
Armis Early Warning
Armis Early Warning provides proactive threat intelligence and early detection capabilities.Click here to learn more.
- Armis Alert Date:*No Data*
- CISA KEV Date:Feb 20, 2025
- Days Early:8 Days
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
