CVE-2025-0110
Published: 12 February 2025
Summary
CVE-2025-0110 is a high-severity OS Command Injection (CWE-78) vulnerability in Paloaltonetworks (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, ranked at the 28.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Deeper analysis
A command injection vulnerability tracked as CVE-2025-0110 affects the OpenConfig plugin in Palo Alto Networks PAN-OS. An authenticated administrator who can issue gNMI requests against the PAN-OS management web interface can bypass existing restrictions and execute arbitrary operating-system commands on the firewall; the injected commands run in the context of the built-in “__openconfig” account, which possesses the Device Administrator role.
Exploitation requires an account with administrative privileges and the ability to reach the management interface with gNMI requests. Successful attacks allow the adversary to run any command permitted to the __openconfig user, effectively granting broad control over the affected firewall without needing additional credentials.
The vendor advisory recommends reducing exposure by restricting management-web-interface access to trusted internal IP addresses in accordance with Palo Alto Networks’ published best-practice deployment guidelines. No other specific configuration changes or plugin-level workarounds are described.
EPSS for the issue rose from a low baseline to a peak of 0.0314 on 2025-12-11 before receding, indicating a measurable increase in exploitation interest several months after the February 2025 disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1507
Vulnerability details
A command injection vulnerability in the Palo Alto Networks PAN-OS OpenConfig plugin enables an authenticated administrator with the ability to make gNMI requests to the PAN-OS management web interface to bypass system restrictions and run arbitrary commands. The commands are…
more
run as the “__openconfig” user (which has the Device Administrator role) on the firewall. You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.