CVE-2025-4615: 
PAN-OS vulnerability analysis and mitigation

An improper input neutralization vulnerability (CVE-2025-4615) was discovered in the management web interface of the Palo Alto Networks PAN-OS software. The vulnerability was disclosed on October 8, 2025, affecting multiple versions of PAN-OS including versions prior to 11.2.8, 11.1.11, and 10.2.17. This security issue enables an authenticated administrator to bypass system restrictions and execute arbitrary commands (Palo Security). Cloud NGFW and Prisma Access are not affected by this vulnerability.

The vulnerability is classified as CWE-83 (Improper Neutralization of Script in Attributes in a Web Page) with a CVSS v4.0 base score of 7.0 (HIGH) when exposed to external IP addresses, and 4.5 (MEDIUM) when access is restricted. The attack vector is classified as adjacent network with low attack complexity, requiring high privileges but no user interaction. The vulnerability impacts system integrity and availability while maintaining system confidentiality (NVD).

The vulnerability allows authenticated administrators to execute arbitrary commands through the management web interface, potentially compromising system integrity and availability. The security risk is significantly minimized when CLI access is restricted to a limited group of administrators (Palo Security).

Palo Alto Networks has released patches for affected versions. Users should upgrade to PAN-OS version 11.2.8 or later, 11.1.11 or later, or 10.2.17 or later, depending on their current version. The risk can be significantly reduced by restricting access to a jump box that is the only system allowed to access the management interface (ASEC, Palo Security).

The vulnerability was discovered and reported by Visa Inc., demonstrating collaborative security research within the industry. Palo Alto Networks has recommended addressing this vulnerability during the next scheduled maintenance cycle for environments with restricted management interface access (Palo Security).