Palo Alto Networks has disclosed a command injection vulnerability in its PAN-OS operating system that enables authenticated administrative users to escalate privileges and perform actions as the root user.
The vulnerability, designated CVE-2025-4231, was published on June 11, 2025, and carries a medium severity rating with a CVSS score of 6.1.
The newly discovered vulnerability affects the management web interface of Palo Alto Networks‘ firewall operating system, allowing attackers with administrative credentials to execute commands with root-level privileges.
The security vulnerability stems from improper neutralization of special elements used in commands, classified under CWE-77 (Command Injection) and CAPEC-233 (Privilege Escalation) categories.
To exploit this vulnerability, attackers must have network access to the management web interface and successfully authenticate with administrative credentials.
While the attack complexity is rated as low, the requirement for high-level privileges serves as a significant barrier to exploitation.
The vulnerability does not affect Cloud NGFW and Prisma Access platforms, limiting its scope to on-premises PAN-OS deployments.
The risk level varies significantly based on network configuration. Organizations that expose their management interfaces directly to the internet or through untrusted networks face the highest risk, with CVSS scores reaching 8.6.
However, organizations that restrict management access to trusted internal networks or implement jump box architectures can reduce the risk substantially, with CVSS scores dropping to 4.0.
PAN-OS Web Interface Vulnerability
The vulnerability impacts multiple PAN-OS versions with varying degrees of severity. PAN-OS 10.1 remains completely vulnerable with no patches available, requiring immediate upgrades to newer versions.
PAN-OS 10.2 versions prior to 10.2.8 and PAN-OS 11.0 versions before 11.0.3 are also affected but have patches available.
Fortunately, newer versions including PAN-OS 11.1 and 11.2 are not impacted by this vulnerability. Organizations running affected versions should prioritize upgrading to PAN-OS 10.2.8, 11.0.3, or later versions.
For customers still using the end-of-life PAN-OS 11.0, Palo Alto Networks recommends upgrading to supported versions rather than applying the final patch to the deprecated version.
Palo Alto Networks has implemented automated scanning to help customers identify potentially exposed devices.
The company tags internet-facing management interfaces with ‘PAN-SA-2024-0015’ identifiers, allowing customers to quickly locate assets requiring immediate attention through the Customer Support Portal’s remediation section.
Current Threat Landscape
While Palo Alto Networks reported no evidence of active exploitation in the wild, security teams should implement immediate protective measures.
The primary recommendation involves restricting management interface access to trusted internal IP addresses only, following established industry best practices for administrative access control.
Organizations should review their current configurations to identify any management interfaces accessible from external networks.
GlobalProtect portals and gateways are not directly vulnerable, but configurations that include management profiles on these interfaces create potential attack vectors through port 4443.
The company emphasizes that the majority of properly configured firewalls already follow recommended security practices.
However, this vulnerability highlights the critical importance of network segmentation and access control for management interfaces.
Organizations should conduct immediate audits of their management access configurations and implement jump box architectures where direct internal access is not feasible.
Security teams should prioritize this vulnerability based on their current network exposure, with internet-facing management interfaces requiring immediate attention and internal-only configurations allowing for scheduled maintenance windows.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
