CVE-2025-0111
Published: 12 February 2025
Summary
CVE-2025-0111 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Paloaltonetworks Pan-Os. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2025-0111 is an authenticated file read vulnerability in Palo Alto Networks PAN-OS software that allows an attacker with network access to the management web interface to read files on the PAN-OS filesystem readable by the “nobody” user. The issue affects PAN-OS but does not impact Cloud NGFW or Prisma Access. It carries a CVSS 4.0 score of 7.1 with high confidentiality impact and is associated with CWE-73 and CWE-610.
An authenticated attacker who already possesses valid credentials and can reach the management interface can exploit the flaw to retrieve arbitrary readable files from the underlying filesystem. No additional user interaction or special preconditions beyond network reachability and authentication are required.
Palo Alto Networks recommends restricting management web interface access to trusted internal IP addresses following published best-practice deployment guidelines as the primary mitigation. The vulnerability is tracked in CISA’s known exploited vulnerabilities catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1508
Vulnerability details
An authenticated file read vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the “nobody” user. You can…
more
greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue does not affect Cloud NGFW or Prisma Access software.
- CWE(s)
- KEV Date Added
- 20 February 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote file read via management web interface (T1190) to collect sensitive data from local filesystem (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the PAN-OS file read vulnerability by identifying, reporting, and applying vendor patches, eliminating the root cause of exploitation.
Monitors and controls network communications to the management web interface, enabling restriction to trusted internal IP addresses as recommended by the vendor to block untrusted access required for exploitation.
Establishes and enforces secure configuration settings for the PAN-OS management web interface per vendor best practices, reducing exposure to authenticated file read attacks.