EUVD-2025-18223CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
A command injection vulnerability in Palo Alto Networks PAN-OS® enables an authenticated administrative user to perform actions as the root user. The attacker must have network access to the management web interface and successfully authenticate to exploit this issue. Cloud NGFW and Prisma Access are not impacted by this vulnerability.
Analysis
Command injection vulnerability in Palo Alto Networks PAN-OS that allows an authenticated administrative user to execute arbitrary commands with root privileges. The vulnerability requires network access to the management web interface and successful authentication, making it a post-authentication remote code execution flaw. While the CVSS score of 7.2 is moderately high, the requirement for administrative credentials significantly limits its practical exploitability in most environments.
Technical Context
This vulnerability is rooted in CWE-77 (Improper Neutralization of Special Elements used in a Command), which occurs when user-supplied input is inadequately sanitized before being passed to system command execution functions. In PAN-OS, the management web interface likely accepts administrative input for configuration or diagnostic purposes that is then processed by backend shell commands without proper input validation or parameterization. This flaw affects the core PAN-OS operating system running on Palo Alto Networks firewalls and security appliances. The vulnerability is specific to PAN-OS running on physical and virtual firewall instances; Cloud NGFW and Prisma Access architectures (which use different isolation models and API designs) are explicitly not affected, indicating the vulnerability is tied to on-premises appliance management interfaces.
Affected Products
Affected products are: Palo Alto Networks PAN-OS (specific affected versions not provided in description but typically include multiple major versions). The vulnerability affects: (1) Physical firewall appliances running PAN-OS (PA-Series, VM-Series on compatible hypervisors); (2) Virtual firewall instances (VMware, AWS, Azure, GCP deployments). NOT affected: (1) Cloud NGFW; (2) Prisma Access. CPE likely spans: palo_alto_networks:pan-os (with version range to be determined from official advisory). Vendor advisory and detailed affected version ranges should be obtained from Palo Alto Networks Security Advisories portal.
Remediation
Specific remediation actions: (1) Apply security patches released by Palo Alto Networks for PAN-OS - check vendor advisory for specific version numbers (typically denoted as PAN-OS X.X.X-hY where Y indicates hotfix number); (2) Implement network-level access controls restricting management web interface (typically port 443/HTTPS) to trusted administrative networks only; (3) Enforce multi-factor authentication (MFA) for all administrative accounts accessing the management interface; (4) Monitor audit logs for suspicious administrative activity, particularly commands executed with elevated privileges; (5) Implement the principle of least privilege for administrative accounts - limit to necessary permissions only; (6) As a temporary mitigation pending patching, restrict administrative access to the management interface via firewall rules or VPN-only access. For detailed patch version numbers and timelines, consult the official Palo Alto Networks Security Advisory (reference required from vendor).
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today