{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-0127","assignerOrgId":"d6c1279f-00f6-4ef7-9217-f89ffe703ec0","state":"PUBLISHED","assignerShortName":"palo_alto","dateReserved":"2024-12-20T23:23:28.050Z","datePublished":"2025-04-11T02:01:35.087Z","dateUpdated":"2025-04-11T16:01:52.805Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Cloud NGFW","vendor":"Palo Alto Networks","versions":[{"status":"unaffected","version":"All","versionType":"custom"}]},{"cpes":["cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h11:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h10:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h9:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h8:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h7:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h6:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h5:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h4:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h3:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h2:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h1:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:-:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.13:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.12:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.2:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.1:*:*:*:*:*:*:*","cpe:2.3:o:paloaltonetworks:pan-os:10.1.0:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","platforms":["VM-Series"],"product":"PAN-OS","vendor":"Palo Alto Networks","versions":[{"status":"unaffected","version":"11.2.0","versionType":"custom"},{"status":"unaffected","version":"11.1.0","versionType":"custom"},{"changes":[{"at":"11.0.4","status":"unaffected"}],"lessThan":"11.0.4","status":"affected","version":"11.0.0","versionType":"custom"},{"changes":[{"at":"10.2.9","status":"unaffected"}],"lessThan":"10.2.9","status":"affected","version":"10.2.0","versionType":"custom"},{"changes":[{"at":"10.1.14-h13","status":"unaffected"}],"lessThan":"10.1.14-h13","status":"affected","version":"10.1.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"Prisma Access","vendor":"Palo Alto Networks","versions":[{"status":"unaffected","version":"All","versionType":"custom"}]}],"configurations":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"No special configuration is required to be affected by this issue."}],"value":"No special configuration is required to be affected by this issue."}],"credits":[{"lang":"en","type":"finder","value":"Pavel Raunou"}],"datePublic":"2025-04-09T16:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. This issue is only applicable to PAN-OS VM-Series. This issue does not affect firewalls that are already deployed.

Cloud NGFW and Prisma® Access are not affected by this vulnerability."}],"value":"A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. This issue is only applicable to PAN-OS VM-Series. This issue does not affect firewalls that are already deployed.\n\nCloud NGFW and Prisma® Access are not affected by this vulnerability."}],"exploits":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Palo Alto Networks is not aware of any malicious exploitation of this issue."}],"value":"Palo Alto Networks is not aware of any malicious exploitation of this issue."}],"impacts":[{"capecId":"CAPEC-248","descriptions":[{"lang":"en","value":"CAPEC-248 Command Injection"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NO","Recovery":"USER","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"PRESENT","attackVector":"LOCAL","baseScore":7.1,"baseSeverity":"HIGH","privilegesRequired":"HIGH","providerUrgency":"AMBER","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"DIFFUSE","vectorString":"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/R:U/V:D/RE:M/U:Amber","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"MODERATE"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-78","description":"CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"d6c1279f-00f6-4ef7-9217-f89ffe703ec0","shortName":"palo_alto","dateUpdated":"2025-04-11T02:01:35.087Z"},"references":[{"tags":["vendor-advisory"],"url":"https://security.paloaltonetworks.com/CVE-2025-0127"}],"solutions":[{"lang":"eng","supportingMedia":[{"base64":false,"type":"text/html","value":"

VersionMinor VersionSuggested Solution
PAN-OS 11.2 on VM-Series

No action needed
PAN-OS 11.1 on VM-Series

No action needed
PAN-OS 11.0 on VM-Series
11.0.0 through 11.0.3
Upgrade to 11.0.4 or later
PAN-OS 10.2 on VM-Series
10.2.0 through 10.2.8
Upgrade to 10.2.9 or later
PAN-OS 10.1 on VM-Series
10.1.0 through 10.1.14
Upgrade to 10.1.14-h13 or later
PAN-OS on non VM-Series platforms
No action needed
All other older unsupported PAN-OS versions

Upgrade to a supported fixed version

PAN-OS 11.0 is EoL. We listed it in this section for completeness because we added a patch for PAN-OS 11.0 before it reached EoL. If you are running PAN-OS 11.0 in any of your firewalls, we strongly recommend that you upgrade from this EoL vulnerable version to a fixed version."}],"value":"VersionMinor VersionSuggested SolutionPAN-OS 11.2 on VM-Series\n\nNo action needed\nPAN-OS 11.1 on VM-Series\n\nNo action needed\nPAN-OS 11.0 on VM-Series\n11.0.0 through 11.0.3\nUpgrade to 11.0.4 or later\nPAN-OS 10.2 on VM-Series\n10.2.0 through 10.2.8\nUpgrade to 10.2.9 or later\nPAN-OS 10.1 on VM-Series\n10.1.0 through 10.1.14\nUpgrade to 10.1.14-h13 or later\nPAN-OS on non VM-Series platforms\nNo action neededAll other older unsupported PAN-OS versions\n\nUpgrade to a supported fixed version\n\nPAN-OS 11.0 is EoL. We listed it in this section for completeness because we added a patch for PAN-OS 11.0 before it reached EoL. If you are running PAN-OS 11.0 in any of your firewalls, we strongly recommend that you upgrade from this EoL vulnerable version to a fixed version."}],"source":{"defect":["PAN-225690"],"discovery":"INTERNAL"},"timeline":[{"lang":"en","time":"2025-04-09T16:00:00.000Z","value":"Initial Publication"}],"title":"PAN-OS: Authenticated Admin Command Injection Vulnerability in PAN-OS VM-Series","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"No workaround or mitigation is available."}],"value":"No workaround or mitigation is available."}],"x_affectedList":["PAN-OS 11.0.3-h13","PAN-OS 11.0.3-h12","PAN-OS 11.0.3-h11","PAN-OS 11.0.3-h10","PAN-OS 11.0.3-h9","PAN-OS 11.0.3-h8","PAN-OS 11.0.3-h7","PAN-OS 11.0.3-h6","PAN-OS 11.0.3-h5","PAN-OS 11.0.3-h4","PAN-OS 11.0.3-h3","PAN-OS 11.0.3-h2","PAN-OS 11.0.3-h1","PAN-OS 11.0.3","PAN-OS 11.0.2-h5","PAN-OS 11.0.2-h4","PAN-OS 11.0.2-h3","PAN-OS 11.0.2-h2","PAN-OS 11.0.2-h1","PAN-OS 11.0.2","PAN-OS 11.0.1-h5","PAN-OS 11.0.1-h4","PAN-OS 11.0.1-h3","PAN-OS 11.0.1-h2","PAN-OS 11.0.1-h1","PAN-OS 11.0.1","PAN-OS 11.0.0-h4","PAN-OS 11.0.0-h3","PAN-OS 11.0.0-h2","PAN-OS 11.0.0-h1","PAN-OS 11.0.0","PAN-OS 10.2.8-h21","PAN-OS 10.2.8-h20","PAN-OS 10.2.8-h19","PAN-OS 10.2.8-h18","PAN-OS 10.2.8-h17","PAN-OS 10.2.8-h16","PAN-OS 10.2.8-h15","PAN-OS 10.2.8-h14","PAN-OS 10.2.8-h13","PAN-OS 10.2.8-h12","PAN-OS 10.2.8-h11","PAN-OS 10.2.8-h10","PAN-OS 10.2.8-h9","PAN-OS 10.2.8-h8","PAN-OS 10.2.8-h7","PAN-OS 10.2.8-h6","PAN-OS 10.2.8-h5","PAN-OS 10.2.8-h4","PAN-OS 10.2.8-h3","PAN-OS 10.2.8-h2","PAN-OS 10.2.8-h1","PAN-OS 10.2.8","PAN-OS 10.2.7-h24","PAN-OS 10.2.7-h23","PAN-OS 10.2.7-h22","PAN-OS 10.2.7-h21","PAN-OS 10.2.7-h20","PAN-OS 10.2.7-h19","PAN-OS 10.2.7-h18","PAN-OS 10.2.7-h17","PAN-OS 10.2.7-h16","PAN-OS 10.2.7-h15","PAN-OS 10.2.7-h14","PAN-OS 10.2.7-h13","PAN-OS 10.2.7-h12","PAN-OS 10.2.7-h11","PAN-OS 10.2.7-h10","PAN-OS 10.2.7-h9","PAN-OS 10.2.7-h8","PAN-OS 10.2.7-h7","PAN-OS 10.2.7-h6","PAN-OS 10.2.7-h5","PAN-OS 10.2.7-h4","PAN-OS 10.2.7-h3","PAN-OS 10.2.7-h2","PAN-OS 10.2.7-h1","PAN-OS 10.2.7","PAN-OS 10.2.6-h6","PAN-OS 10.2.6-h5","PAN-OS 10.2.6-h4","PAN-OS 10.2.6-h3","PAN-OS 10.2.6-h2","PAN-OS 10.2.6-h1","PAN-OS 10.2.6","PAN-OS 10.2.5-h9","PAN-OS 10.2.5-h8","PAN-OS 10.2.5-h7","PAN-OS 10.2.5-h6","PAN-OS 10.2.5-h5","PAN-OS 10.2.5-h4","PAN-OS 10.2.5-h3","PAN-OS 10.2.5-h2","PAN-OS 10.2.5-h1","PAN-OS 10.2.5","PAN-OS 10.2.4-h32","PAN-OS 10.2.4-h31","PAN-OS 10.2.4-h30","PAN-OS 10.2.4-h29","PAN-OS 10.2.4-h28","PAN-OS 10.2.4-h27","PAN-OS 10.2.4-h26","PAN-OS 10.2.4-h25","PAN-OS 10.2.4-h24","PAN-OS 10.2.4-h23","PAN-OS 10.2.4-h22","PAN-OS 10.2.4-h21","PAN-OS 10.2.4-h20","PAN-OS 10.2.4-h19","PAN-OS 10.2.4-h18","PAN-OS 10.2.4-h17","PAN-OS 10.2.4-h16","PAN-OS 10.2.4-h15","PAN-OS 10.2.4-h14","PAN-OS 10.2.4-h13","PAN-OS 10.2.4-h12","PAN-OS 10.2.4-h11","PAN-OS 10.2.4-h10","PAN-OS 10.2.4-h9","PAN-OS 10.2.4-h8","PAN-OS 10.2.4-h7","PAN-OS 10.2.4-h6","PAN-OS 10.2.4-h5","PAN-OS 10.2.4-h4","PAN-OS 10.2.4-h3","PAN-OS 10.2.4-h2","PAN-OS 10.2.4-h1","PAN-OS 10.2.4","PAN-OS 10.2.3-h14","PAN-OS 10.2.3-h13","PAN-OS 10.2.3-h12","PAN-OS 10.2.3-h11","PAN-OS 10.2.3-h10","PAN-OS 10.2.3-h9","PAN-OS 10.2.3-h8","PAN-OS 10.2.3-h7","PAN-OS 10.2.3-h6","PAN-OS 10.2.3-h5","PAN-OS 10.2.3-h4","PAN-OS 10.2.3-h3","PAN-OS 10.2.3-h2","PAN-OS 10.2.3-h1","PAN-OS 10.2.3","PAN-OS 10.2.2-h6","PAN-OS 10.2.2-h5","PAN-OS 10.2.2-h4","PAN-OS 10.2.2-h3","PAN-OS 10.2.2-h2","PAN-OS 10.2.2-h1","PAN-OS 10.2.2","PAN-OS 10.2.1-h3","PAN-OS 10.2.1-h2","PAN-OS 10.2.1-h1","PAN-OS 10.2.1","PAN-OS 10.2.0-h4","PAN-OS 10.2.0-h3","PAN-OS 10.2.0-h2","PAN-OS 10.2.0-h1","PAN-OS 10.2.0","PAN-OS 10.1.14-h11","PAN-OS 10.1.14-h10","PAN-OS 10.1.14-h9","PAN-OS 10.1.14-h8","PAN-OS 10.1.14-h7","PAN-OS 10.1.14-h6","PAN-OS 10.1.14-h5","PAN-OS 10.1.14-h4","PAN-OS 10.1.14-h3","PAN-OS 10.1.14-h2","PAN-OS 10.1.14-h1","PAN-OS 10.1.14","PAN-OS 10.1.13-h5","PAN-OS 10.1.13-h4","PAN-OS 10.1.13-h3","PAN-OS 10.1.13-h2","PAN-OS 10.1.13-h1","PAN-OS 10.1.13","PAN-OS 10.1.12-h3","PAN-OS 10.1.12-h2","PAN-OS 10.1.12-h1","PAN-OS 10.1.12","PAN-OS 10.1.11-h10","PAN-OS 10.1.11-h9","PAN-OS 10.1.11-h8","PAN-OS 10.1.11-h7","PAN-OS 10.1.11-h6","PAN-OS 10.1.11-h5","PAN-OS 10.1.11-h4","PAN-OS 10.1.11-h3","PAN-OS 10.1.11-h2","PAN-OS 10.1.11-h1","PAN-OS 10.1.11","PAN-OS 10.1.10-h9","PAN-OS 10.1.10-h8","PAN-OS 10.1.10-h7","PAN-OS 10.1.10-h6","PAN-OS 10.1.10-h5","PAN-OS 10.1.10-h4","PAN-OS 10.1.10-h3","PAN-OS 10.1.10-h2","PAN-OS 10.1.10-h1","PAN-OS 10.1.10","PAN-OS 10.1.9-h14","PAN-OS 10.1.9-h13","PAN-OS 10.1.9-h12","PAN-OS 10.1.9-h11","PAN-OS 10.1.9-h10","PAN-OS 10.1.9-h9","PAN-OS 10.1.9-h8","PAN-OS 10.1.9-h7","PAN-OS 10.1.9-h6","PAN-OS 10.1.9-h5","PAN-OS 10.1.9-h4","PAN-OS 10.1.9-h3","PAN-OS 10.1.9-h2","PAN-OS 10.1.9-h1","PAN-OS 10.1.9","PAN-OS 10.1.8-h8","PAN-OS 10.1.8-h7","PAN-OS 10.1.8-h6","PAN-OS 10.1.8-h5","PAN-OS 10.1.8-h4","PAN-OS 10.1.8-h3","PAN-OS 10.1.8-h2","PAN-OS 10.1.8-h1","PAN-OS 10.1.8","PAN-OS 10.1.7-h1","PAN-OS 10.1.7","PAN-OS 10.1.6-h9","PAN-OS 10.1.6-h8","PAN-OS 10.1.6-h7","PAN-OS 10.1.6-h6","PAN-OS 10.1.6-h5","PAN-OS 10.1.6-h4","PAN-OS 10.1.6-h3","PAN-OS 10.1.6-h2","PAN-OS 10.1.6-h1","PAN-OS 10.1.6","PAN-OS 10.1.5-h4","PAN-OS 10.1.5-h3","PAN-OS 10.1.5-h2","PAN-OS 10.1.5-h1","PAN-OS 10.1.5","PAN-OS 10.1.4-h6","PAN-OS 10.1.4-h5","PAN-OS 10.1.4-h4","PAN-OS 10.1.4-h3","PAN-OS 10.1.4-h2","PAN-OS 10.1.4-h1","PAN-OS 10.1.4","PAN-OS 10.1.3-h4","PAN-OS 10.1.3-h3","PAN-OS 10.1.3-h2","PAN-OS 10.1.3-h1","PAN-OS 10.1.3","PAN-OS 10.1.2","PAN-OS 10.1.1","PAN-OS 10.1.0"],"x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-04-11T15:13:55.222149Z","id":"CVE-2025-0127","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-04-11T16:01:52.805Z"}}]}}