Cyber Resilience

CVE-2025-0110

HighRCE

Published: 12 February 2025

Published
12 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Amber
EPSS Score 0.0011 28.9th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0110 is a high-severity OS Command Injection (CWE-78) vulnerability in Paloaltonetworks (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, ranked at the 28.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Deeper analysis

A command injection vulnerability tracked as CVE-2025-0110 affects the OpenConfig plugin in Palo Alto Networks PAN-OS. An authenticated administrator who can issue gNMI requests against the PAN-OS management web interface can bypass existing restrictions and execute arbitrary operating-system commands on the firewall; the injected commands run in the context of the built-in “__openconfig” account, which possesses the Device Administrator role.

Exploitation requires an account with administrative privileges and the ability to reach the management interface with gNMI requests. Successful attacks allow the adversary to run any command permitted to the __openconfig user, effectively granting broad control over the affected firewall without needing additional credentials.

The vendor advisory recommends reducing exposure by restricting management-web-interface access to trusted internal IP addresses in accordance with Palo Alto Networks’ published best-practice deployment guidelines. No other specific configuration changes or plugin-level workarounds are described.

EPSS for the issue rose from a low baseline to a peak of 0.0314 on 2025-12-11 before receding, indicating a measurable increase in exploitation interest several months after the February 2025 disclosure.

EU & UK References

Vulnerability details

A command injection vulnerability in the Palo Alto Networks PAN-OS OpenConfig plugin enables an authenticated administrator with the ability to make gNMI requests to the PAN-OS management web interface to bypass system restrictions and run arbitrary commands. The commands are…

more

run as the “__openconfig” user (which has the Device Administrator role) on the firewall. You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Paloaltonetworks
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References