CVE-2025-0127: 
PAN-OS vulnerability analysis and mitigation

A command injection vulnerability (CVE-2025-0127) was discovered in Palo Alto Networks PAN-OS® software, specifically affecting the VM-Series platform. The vulnerability was disclosed on April 9, 2025, enabling authenticated administrators to bypass system restrictions and execute arbitrary commands with root privileges. This issue is limited to PAN-OS VM-Series deployments and does not affect already deployed firewalls, Cloud NGFW, or Prisma® Access (Palo Security).

The vulnerability has been assigned a CVSS Base Score of 7.1 (HIGH) with the following vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/R:U/V:D/RE:M/U:Amber. The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and CAPEC-248 (Command Injection) (NVD Database).

The vulnerability allows authenticated administrators to execute arbitrary commands with root privileges on affected systems. This could potentially lead to complete system compromise within the scope of the VM-Series platform (Palo Security).

Affected versions include PAN-OS 11.0 (< 11.0.4), PAN-OS 10.2 (< 10.2.9), and PAN-OS 10.1 (< 10.1.14-h13) on VM-Series. Users are advised to upgrade to PAN-OS 11.0.4 or later, PAN-OS 10.2.9 or later, or PAN-OS 10.1.14-h13 or later respectively. No alternative workarounds or mitigations are available (Palo Security).