CVE-2025-0111: 
PAN-OS vulnerability analysis and mitigation

An authenticated file read vulnerability (CVE-2025-0111) was discovered in the management web interface of the Palo Alto Networks PAN-OS software. The vulnerability was disclosed on February 12, 2025, and enables an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the 'nobody' user. This vulnerability affects multiple versions of PAN-OS but does not impact Cloud NGFW or Prisma Access software (Palo Security).

The vulnerability has been assigned a CVSS v4.0 Base Score of 7.1 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Red. The vulnerability is classified under CWE-73: External Control of File Name or Path. The issue affects multiple versions of PAN-OS including versions 10.1, 10.2, 11.1, and 11.2 (Palo Security, NVD).

The vulnerability allows an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the 'nobody' user. The risk is highest when access to the management interface is allowed from external IP addresses on the internet (Palo Security).

Palo Alto Networks has released patches for affected versions. Users should upgrade to PAN-OS versions 10.1.14-h9 or later, 10.2.13-h3 or later, 11.1.6-h1 or later, or 11.2.5 or later. Additionally, organizations can greatly reduce the risk by restricting access to the management web interface to only trusted internal IP addresses according to recommended critical deployment guidelines. Customers with a Threat Prevention subscription can block attacks by enabling Threat ID 510000 and 510001 (Palo Security).

The vulnerability has gained significant attention from the cybersecurity community, leading to its inclusion in CISA's Known Exploited Vulnerabilities Catalog. CISA has set a remediation date of March 13, 2025, for federal agencies to address this vulnerability (CISA).