Cyber Resilience

CVE-2025-0111

HighCISA KEVActive ExploitationEUVD Exploited

Published: 12 February 2025

Published
12 February 2025
Modified
04 November 2025
KEV Added
20 February 2025
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Red
EPSS Score 0.0369 88.2th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0111 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Paloaltonetworks Pan-Os. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2025-0111 is an authenticated file read vulnerability in Palo Alto Networks PAN-OS software that allows an attacker with network access to the management web interface to read files on the PAN-OS filesystem readable by the “nobody” user. The issue affects PAN-OS but does not impact Cloud NGFW or Prisma Access. It carries a CVSS 4.0 score of 7.1 with high confidentiality impact and is associated with CWE-73 and CWE-610.

An authenticated attacker who already possesses valid credentials and can reach the management interface can exploit the flaw to retrieve arbitrary readable files from the underlying filesystem. No additional user interaction or special preconditions beyond network reachability and authentication are required.

Palo Alto Networks recommends restricting management web interface access to trusted internal IP addresses following published best-practice deployment guidelines as the primary mitigation. The vulnerability is tracked in CISA’s known exploited vulnerabilities catalog.

EU & UK References

Vulnerability details

An authenticated file read vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the “nobody” user. You can…

more

greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue does not affect Cloud NGFW or Prisma Access software.

CWE(s)
KEV Date Added
20 February 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Vulnerability enables remote file read via management web interface (T1190) to collect sensitive data from local filesystem (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-0108Same product: Paloaltonetworks Pan-Osboth on KEV
CVE-2024-3400Same product: Paloaltonetworks Pan-Osboth on KEV
CVE-2026-0257Same product: Paloaltonetworks Pan-Osboth on KEV
CVE-2025-0114Same product: Paloaltonetworks Pan-Os
CVE-2026-0227Same product: Paloaltonetworks Pan-Os
CVE-2026-0300Same product: Paloaltonetworks Pan-Osboth on KEV
CVE-2025-0118Same product class: VPN / SSL gateway
CVE-2025-24472Same product class: VPN / SSL gatewayboth on KEV
CVE-2026-3055Same product class: VPN / SSL gatewayboth on KEV
CVE-2024-55591Same product class: VPN / SSL gatewayboth on KEV

Affected Assets

paloaltonetworks
pan-os
10.1.14, 10.2.12, 10.2.13, 10.2.7, 10.2.8 · 10.1.0 — 10.1.14 · 10.2.0 — 10.2.7 · 10.2.10 — 10.2.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the PAN-OS file read vulnerability by identifying, reporting, and applying vendor patches, eliminating the root cause of exploitation.

prevent

Monitors and controls network communications to the management web interface, enabling restriction to trusted internal IP addresses as recommended by the vendor to block untrusted access required for exploitation.

prevent

Establishes and enforces secure configuration settings for the PAN-OS management web interface per vendor best practices, reducing exposure to authenticated file read attacks.

References