Google Researcher Discloses High-Risk Vulnerability in Palo Alto Networks’ PAN-OS Firewall Software

February 21, 2025

A Google researcher has unveiled a proof-of-concept exploit for a high-risk vulnerability (CVE-2025-0110) in the firewall software PAN-OS, developed by Palo Alto Networks. This vulnerability has been assigned a CVSSv4 score of 8.6, indicating a high level of severity. The flaw could potentially enable an authenticated attacker to run arbitrary commands on the underlying operating system with administrator privileges.

The flaw is found in the PAN-OS OpenConfig plugin. This plugin facilitates the retrieval of system logs via the gnmi.Subscribe function. An attacker could manipulate the 'type' parameter in an OpenConfig API request, leading to the injection and execution of arbitrary bash commands on the firewall.

This vulnerability is initiated using a specially crafted request that misuses the XPATH query structure in the OpenConfig API. With the help of the gnmic tool, an attacker can run arbitrary bash commands on the PAN-OS device. The system's response confirms the successful execution of the command, thereby demonstrating the system’s vulnerability to command injection.

This vulnerability impacts PAN-OS deployments where the OpenConfig Plugin is enabled. The OpenConfig API can be accessed via the PAN-OS management interface on port 9339, which could pose a considerable security risk if exposed.

Palo Alto Networks has responded to this security concern by releasing a security fix in OpenConfig Plugin version 2.1.2, which is included in PAN-OS 11.2.5 and subsequent versions. To further mitigate the risk, users are advised to ensure they are using the latest software versions.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.