CVE-2025-0110

Name of the Vulnerable Software and Affected Versions Palo Alto Networks PAN-OS (affected versions not specified)

Description A command injection vulnerability in the Palo Alto Networks PAN-OS OpenConfig plugin enables an authenticated administrator to make gNMI requests to the PAN-OS management web interface, bypassing system restrictions and running arbitrary commands. The commands are executed as the " openconfig" user, which has the Device Administrator role on the firewall. To reduce the risk, restrict access to the management web interface to only trusted internal IP addresses.

Recommendations As a temporary workaround, consider restricting access to the OpenConfig plugin until a patch is available. Restrict access to the management web interface to only trusted internal IP addresses according to recommended best practices deployment guidelines. At the moment, there is no information about a newer version that contains a fix for this vulnerability.