CVE-2025-0111

MediumCISA KEVActive Exploitation

Published: 12 February 2025

Published

12 February 2025

Modified

04 November 2025

KEV Added

20 February 2025

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0369 88.0th percentile

Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0111 is a medium-severity External Control of File Name or Path (CWE-73) vulnerability in Paloaltonetworks Pan-Os. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the PAN-OS file read vulnerability by identifying, reporting, and applying vendor patches, eliminating the root cause of exploitation.

SC-7 Boundary Protection good match

prevent

Monitors and controls network communications to the management web interface, enabling restriction to trusted internal IP addresses as recommended by the vendor to block untrusted access required for exploitation.

CM-6 Configuration Settings good match

prevent

Establishes and enforces secure configuration settings for the PAN-OS management web interface per vendor best practices, reducing exposure to authenticated file read attacks.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

Vulnerability enables remote file read via management web interface (T1190) to collect sensitive data from local filesystem (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An authenticated file read vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the “nobody” user. You can…

greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue does not affect Cloud NGFW or Prisma Access software.

Deeper analysisAI

CVE-2025-0111 is an authenticated file read vulnerability in the Palo Alto Networks PAN-OS software. It affects the management web interface, enabling an authenticated attacker with network access to read files on the PAN-OS filesystem that are readable by the “nobody” user. This issue does not affect Cloud NGFW or Prisma Access software and is associated with CWE-73 and CWE-610.

An authenticated attacker with low privileges and network access to the management web interface (AV:N/AC:L/PR:L/UI:N/S:U) can exploit this vulnerability to achieve high confidentiality impact (C:H), with no impact on integrity or availability. Exploitation allows reading potentially sensitive files accessible to the “nobody” user, as reflected in the CVSS v3.1 base score of 6.5.

Palo Alto Networks advisories state that the risk can be greatly reduced by restricting management web interface access to only trusted internal IP addresses, per their recommended best practices at https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431. Further details are available in the vendor security advisory at https://security.paloaltonetworks.com/CVE-2025-0111, and the vulnerability is listed in the CISA Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0111.

Details

CWE(s): CWE-73 CWE-610
KEV Date Added: 20 February 2025

Affected Products

paloaltonetworks

pan-os

10.1.14, 10.2.12, 10.2.13, 10.2.7, 10.2.8 · 10.1.0 — 10.1.14 · 10.2.0 — 10.2.7 · 10.2.10 — 10.2.12

CVEs Like This One

CVE-2025-0108Same product: Paloaltonetworks Pan-Osboth on KEV

CVE-2025-0114Same product: Paloaltonetworks Pan-Os

CVE-2026-0300Same product: Paloaltonetworks Pan-Osboth on KEV

CVE-2026-0227Same product: Paloaltonetworks Pan-Os

CVE-2025-7775Same product class: VPN / SSL gatewayboth on KEV

CVE-2025-24472Same product class: VPN / SSL gatewayboth on KEV

CVE-2025-0118Same product class: VPN / SSL gateway

CVE-2024-55591Same product class: VPN / SSL gatewayboth on KEV

CVE-2026-24858Same product class: VPN / SSL gatewayboth on KEV

CVE-2025-0282Same product class: VPN / SSL gatewayboth on KEV

References

https://security.paloaltonetworks.com/CVE-2025-0111
Vendor Advisory · psirt@paloaltonetworks.com
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0111
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0