CVE-2025-4231

Summary

A command injection vulnerability in Palo Alto Networks PAN-OS® enables an authenticated administrative user to perform actions as the root user.

The attacker must have network access to the management web interface and successfully authenticate to exploit this issue.

Cloud NGFW and Prisma Access are not impacted by this vulnerability.

Affected Software

VendorProductVersion RangeStatus
Palo Alto NetworksCloud NGFWAll < 6.3.3unaffected
Palo Alto NetworksPAN-OS11.2.0unaffected
Palo Alto NetworksPAN-OS11.1.0unaffected
Palo Alto NetworksPAN-OS11.0.0 < 11.0.3affected
Palo Alto NetworksPAN-OS10.2.0 < 10.2.8affected
Palo Alto NetworksPAN-OS10.1.0affected
Palo Alto NetworksPrisma AccessAllunaffected

Weaknesses

  • CWE-77: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

Workarounds

Recommended mitigation—The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References