Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
A command injection vulnerability in Palo Alto Networks PAN-OS® enables an authenticated administrative user to perform actions as the root user.
The attacker must have network access to the management web interface and successfully authenticate to exploit this issue.
Cloud NGFW and Prisma Access are not impacted by this vulnerability.
AnalysisAI
Command injection vulnerability in Palo Alto Networks PAN-OS that allows an authenticated administrative user to execute arbitrary commands with root privileges. The vulnerability requires network access to the management web interface and successful authentication, making it a post-authentication remote code execution flaw. While the CVSS score of 7.2 is moderately high, the requirement for administrative credentials significantly limits its practical exploitability in most environments.
Technical ContextAI
This vulnerability is rooted in CWE-77 (Improper Neutralization of Special Elements used in a Command), which occurs when user-supplied input is inadequately sanitized before being passed to system command execution functions. In PAN-OS, the management web interface likely accepts administrative input for configuration or diagnostic purposes that is then processed by backend shell commands without proper input validation or parameterization. This flaw affects the core PAN-OS operating system running on Palo Alto Networks firewalls and security appliances. The vulnerability is specific to PAN-OS running on physical and virtual firewall instances; Cloud NGFW and Prisma Access architectures (which use different isolation models and API designs) are explicitly not affected, indicating the vulnerability is tied to on-premises appliance management interfaces.
RemediationAI
Specific remediation actions: (1) Apply security patches released by Palo Alto Networks for PAN-OS - check vendor advisory for specific version numbers (typically denoted as PAN-OS X.X.X-hY where Y indicates hotfix number); (2) Implement network-level access controls restricting management web interface (typically port 443/HTTPS) to trusted administrative networks only; (3) Enforce multi-factor authentication (MFA) for all administrative accounts accessing the management interface; (4) Monitor audit logs for suspicious administrative activity, particularly commands executed with elevated privileges; (5) Implement the principle of least privilege for administrative accounts - limit to necessary permissions only; (6) As a temporary mitigation pending patching, restrict administrative access to the management interface via firewall rules or VPN-only access. For detailed patch version numbers and timelines, consult the official Palo Alto Networks Security Advisory (reference required from vendor).
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted F
Buffer overflow in the management web interface in Palo Alto Networks PAN-OS before 5.0.20, 5.1.x before 5.1.13, 6.0.x b
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto
Palo Alto Networks PAN-OS management interface contains an authenticated file read vulnerability allowing reading of fil
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access t
An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated administrators to exe
A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to
A reflected cross-site scripting (XSS) vulnerability exists in the PAN-OS management web interface. Rated high severity
The device-management command-line interface in Palo Alto Networks PAN-OS before 3.1.12, 4.0.x before 4.0.10, and 4.1.x
Remote Code Execution in PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier with Glob
The DNS Proxy in Palo Alto Networks PAN-OS before 6.1.18, 7.x before 7.0.16, 7.1.x before 7.1.11, and 8.x before 8.0.3 a
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18223