Palo Alto Networks disclosed a command injection vulnerability affecting its PAN-OS firewall operating system that enables authenticated administrators to execute arbitrary commands with root privileges.
The security vulnerability, tracked as CVE-2025-4230 and published on June 11, 2025, poses a medium-severity risk with a CVSS score of 5.7, though the company emphasizes that exploitation requires existing administrative access to the command-line interface.
The vulnerability stems from improper neutralization of special elements used in operating system commands, classified under CWE-78 for OS Command Injection.
This weakness allows authenticated administrators to circumvent built-in system restrictions and execute unauthorized commands with elevated root privileges on affected PAN-OS devices.
The exploit mechanism follows CAPEC-248 patterns for command injection attacks, where malicious input is processed without adequate sanitization.
According to Palo Alto Networks’ security advisory, the vulnerability requires no special configuration to be exploitable, making all default installations potentially vulnerable.
However, the attack vector is classified as local, meaning attackers must already possess administrative credentials and CLI access to the target system.
The company noted that “the security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators,” highlighting the importance of administrative access controls.
Palo Alto Networks PAN-OS Vulnerability
The vulnerability affects multiple generations of PAN-OS software, spanning versions 10.1 through 11.2.
Specifically impacted are PAN-OS 11.2 versions prior to 11.2.6, PAN-OS 11.1 versions before 11.1.10, PAN-OS 10.2 versions preceding 10.2.14, and PAN-OS 10.1 versions earlier than 10.1.14-h15.
All older unsupported versions remain vulnerable and require immediate upgrades to supported fixed releases.
Notably, Palo Alto Networks’ Cloud NGFW and Prisma Access platforms are unaffected by this vulnerability, providing some relief for cloud-based deployments.
The company has confirmed no awareness of malicious exploitation attempts targeting this vulnerability in the wild, suggesting the disclosure follows responsible security practices before active attacks emerge.
The vulnerability carries significant potential impact ratings, with high confidentiality, integrity, and availability risks for the affected products.
However, subsequent system impacts are rated as none, indicating the compromise is contained to the directly targeted device rather than enabling lateral movement to connected systems.
Immediate Patching
Palo Alto Networks has released security updates addressing the vulnerability across all supported PAN-OS versions.
Organizations running PAN-OS 11.2 should upgrade to version 11.2.6 or later, while those on PAN-OS 11.1 need to update to 11.1.10 or newer versions.
Users of PAN-OS 10.2 must install version 10.2.14 or later, and PAN-OS 10.1 users require version 10.1.14-h15 or newer releases.
The company explicitly states that no workarounds or mitigations are available, making immediate patching the only effective defense against potential exploitation.
This underscores the critical importance of maintaining current software versions and implementing robust patch management processes for network security infrastructure.
Given the moderate urgency rating and the requirement for administrative access, organizations should prioritize updates while ensuring proper access controls restrict CLI privileges to essential personnel only.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
