CVE-2025-4230

Summary

A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. To be able to exploit this issue, the user must have access to the PAN-OS CLI.

The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators.

Cloud NGFW and Prisma® Access are not affected by this vulnerability.

Affected Software

VendorProductVersion RangeStatus
Palo Alto NetworksCloud NGFWAll < 6.3.3unaffected
Palo Alto NetworksPAN-OS11.2.0 < 11.2.6affected
Palo Alto NetworksPAN-OS11.1.0 < 11.1.10affected
Palo Alto NetworksPAN-OS10.2.0 < 10.2.14affected
Palo Alto NetworksPAN-OS10.1.0 < 10.1.14-h15affected
Palo Alto NetworksPrisma AccessAllunaffected

Weaknesses

  • CWE-78: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Workarounds

No workaround or mitigation is available.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References