CVE-2025-0137

Summary

An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables a malicious authenticated read-write administrator to impersonate another legitimate authenticated PAN-OS administrator.

The attacker must have network access to the management web interface to exploit this issue. You greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended critical deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .

Affected Software

VendorProductVersion RangeStatus
Palo Alto NetworksCloud NGFWAll < 6.3.3unaffected
Palo Alto NetworksPAN-OS11.2.0 < 11.2.5affected
Palo Alto NetworksPAN-OS11.1.0 < 11.1.8affected
Palo Alto NetworksPAN-OS10.2.0 < 10.2.13affected
Palo Alto NetworksPAN-OS10.1.0 < 10.1.14-h14affected

Weaknesses

  • CWE-83: CWE-83: Improper Neutralization of Script in Attributes in a Web Page

Workarounds

Recommended mitigation—The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References