CVE-2025-0125: 
PAN-OS vulnerability analysis and mitigation

An improper input neutralization vulnerability (CVE-2025-0125) was discovered in the management web interface of the Palo Alto Networks PAN-OS® software. The vulnerability was disclosed on April 9, 2025, and affects multiple versions of PAN-OS including versions 11.2 (<11.2.5), 11.1 (<11.1.5), 11.0 (<11.0.6), 10.2 (<10.2.11), and 10.1 (<10.1.14-h11). This issue does not affect Cloud NGFW and Prisma® Access instances (Palo Security).

The vulnerability is classified as CWE-83 (Improper Neutralization of Script in Attributes in a Web Page) and has been assigned a CVSS 4.0 Base Score of 4.4 (MEDIUM). The attack vector is network-based with low attack complexity, requiring high privileges and passive user interaction. The vulnerability primarily impacts product confidentiality with high severity, while having low impact on integrity and no impact on availability (Palo Security).

If exploited, this vulnerability enables a malicious authenticated read-write administrator to impersonate another legitimate authenticated PAN-OS administrator. The risk is highest when access to the management interface is allowed from external IP addresses on the internet (Palo Security).

Palo Alto Networks has released patches for affected versions and recommends upgrading to the following fixed versions: PAN-OS 11.2.5 or later, 11.1.5 or later, 11.0.6 or later, 10.2.11 or later, and 10.1.14-h11 or later. As a workaround, organizations should restrict management interface access to only trusted internal IP addresses according to critical deployment guidelines. The risk can be greatly reduced by restricting access to a jump box that is the only system allowed to access the management interface (Palo Security).

The vulnerability was discovered and reported by the Visa Cybersecurity team and Deloitte Romania, represented by Razvan Ilisanu and Matei "Mal" Badanoiu (Palo Security).