CVE-2025-4230

| EUVD-2025-18226 HIGH
2025-06-13 [email protected]
8.4
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/R:U/V:D/U:Amber
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 21:34 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 21:34 euvd
EUVD-2025-18226
CVE Published
Jun 13, 2025 - 00:15 nvd
HIGH 8.4

Tags

Paloalto Command Injection RCE Privilege Escalation

Description

A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. To be able to exploit this issue, the user must have access to the PAN-OS CLI. The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators. Cloud NGFW and Prisma® Access are not affected by this vulnerability.

Analysis

Command injection vulnerability in Palo Alto Networks PAN-OS that allows authenticated administrators with CLI access to bypass system restrictions and execute arbitrary commands with root privileges. The vulnerability affects on-premises PAN-OS deployments with CVSS 8.4, but risk is significantly reduced in environments where CLI access is restricted to a limited administrative group. Cloud NGFW and Prisma Access are not affected.

Technical Context

This vulnerability is a CWE-78 (Improper Neutralization of Special Elements used in an OS Command) command injection flaw in the Palo Alto Networks PAN-OS command-line interface. The vulnerability stems from insufficient input validation in CLI command processing, allowing authenticated users to inject arbitrary OS commands that execute with root privileges. PAN-OS is a security operating system running on Palo Alto Networks firewalls (PA-Series, VM-Series) and management appliances. The flaw exists in the CLI parsing mechanism where user-supplied input is not properly sanitized before being passed to underlying OS command execution functions, enabling an attacker to break out of the intended command context and execute arbitrary shell commands.

Affected Products

Palo Alto Networks PAN-OS on-premises deployments, including: PA-Series firewalls (PA-3000, PA-5000, PA-7000 series and derivatives), VM-Series virtual firewalls, and management appliances running vulnerable PAN-OS versions. Specific version ranges are not provided in the CVE description; consult Palo Alto Networks security advisory for affected version enumeration. Cloud NGFW and Prisma Access are explicitly NOT affected. The vulnerability requires authentication and CLI access, making it inaccessible to unauthenticated remote attackers. Refer to official Palo Alto Networks security advisory (SA-PAN-OS-CVE-2025-4230 or similar) for patch availability and version-specific remediation guidance.

Remediation

Primary remediation: Apply Palo Alto Networks security patches for affected PAN-OS versions as released in the official security advisory. Interim mitigations if patches are unavailable: (1) Restrict PAN-OS CLI access to a minimal set of trusted administrators through role-based access control (RBAC) and administrative account management; (2) Implement network segmentation to limit management plane access to trusted administrative networks only; (3) Audit and revoke unnecessary administrative CLI privileges; (4) Enable comprehensive CLI command logging and monitoring for anomalous command execution patterns; (5) Use out-of-band management networks to isolate administrative access. Verify patch deployment thoroughly in test environments before production rollout.

Priority Score

42
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +42
POC: 0

Share

CVE-2025-4230 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy