Palo Alto Networks Security Advisories / CVE-2025-0115

CVE-2025-0115 PAN-OS: Authenticated Admin File Read Vulnerability in PAN-OS CLI

Urgency MODERATE

047910
Severity 4.3 · MEDIUM
Exploit Maturity UNREPORTED
Response Effort MODERATE
Recovery USER
Value Density CONCENTRATED
Attack Vector LOCAL
Attack Complexity LOW
Attack Requirements NONE
Automatable NO
User Interaction NONE
Product Confidentiality HIGH
Product Integrity NONE
Product Availability NONE
Privileges Required LOW
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability NONE
CVE JSON CSAF
Published 2025-03-12
Updated 2025-04-02
Reference PAN-254174, PAN-259758
Discovered externally

Description

A vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated admin on the PAN-OS CLI to read arbitrary files.

The attacker must have network access to the management interface (web, SSH, console, or telnet) and successfully authenticate to exploit this issue. You can greatly reduce the risk of this issue by restricting access to the management interface to only trusted users and internal IP addresses according to our recommended critical deployment guidelines.

This issue does not affect Cloud NGFW or Prisma Access.

Product Status

VersionsAffectedUnaffected
Cloud NGFWNone
All
PAN-OS 11.2< 11.2.3
>= 11.2.3
PAN-OS 11.1< 11.1.4-h17
< 11.1.5
>= 11.1.4-h17
>= 11.1.5
PAN-OS 11.0< 11.0.6
>= 11.0.6
PAN-OS 10.2< 10.2.11
>= 10.2.11
PAN-OS 10.1< 10.1.14-h11
>= 10.1.14-h11
Prisma AccessNone
All

Please note that PAN-OS 11.0, PAN-OS 10.0, PAN-OS 9.1, PAN-OS 9.0, and older releases have reached their software end-of-life (EoL) dates and are no longer evaluated for vulnerabilities and no fixes are planned. These versions are presumed to be affected.

Required Configuration for Exposure

The risk is greatest if you enabled access to the management interface (HTTP, HTTPS, SSH, or telnet) from the internet or any untrusted network either:

  1. Directly; or
  2. Through a dataplane interface that includes a management interface profile.
You greatly reduce the risk if you ensure that you allow only trusted users and internal IP addresses to access the management interface.

Severity: MEDIUM, Suggested Urgency: MODERATE

The risk is highest when you allow access to the management interface from external IP addresses on the internet. Our recommendation is to remediate as soon as possible.
MEDIUM - CVSS-BT: 4.3 /CVSS-B: 6.8 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:C/RE:M/U:Amber)

You can greatly reduce the risk of exploitation by restricting access to a jump box that is the only system allowed to access the management interface. This will ensure that attacks can succeed only if they obtain privileged access through those specified IP addresses. We recommend remediating this vulnerability in your next scheduled maintenance cycle.
LOW - CVSS-BT: 1.6 /CVSS-B: 5.6 (CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:C/RE:M/U:Green)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type and Impact

CWE-41: Improper Resolution of Path Equivalence

CAPEC-126 Path Traversal

Solution

This issue is fixed in PAN-OS 10.1.14-h11, PAN-OS 10.2.11, PAN-OS 11.0.6, PAN-OS 11.1.5, PAN-OS 11.2.3, and all later PAN-OS versions.

Version
Minor Version
Suggested Solution
PAN-OS 11.2
11.2.0 through 11.2.2Upgrade to 11.2.3 or later
PAN-OS 11.111.1.0 through 11.1.4
Upgrade to 11.1.4-h17 or  11.1.5 or later
PAN-OS 11.0
11.0.0 through 11.0.5
Upgrade to 11.0.6 or later
PAN-OS 10.2
10.2.0 through 10.2.10Upgrade to 10.2.11 or later
PAN-OS 10.1
10.1.0 through 10.1.14
Upgrade to 10.1.14-h11 or later
All other older
unsupported
PAN-OS versions		 Upgrade to a supported fixed version.

Workarounds and Mitigations

Recommended mitigation—The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our critical deployment guidelines. Specifically, you should restrict management interface access to only trusted internal IP addresses.

Review information about how to secure management access to your Palo Alto Networks firewalls:

Acknowledgments

Palo Alto Networks thanks Visa Cybersecurity team and Deloitte Romania, represented by Razvan Ilisanu and Matei “Mal” Badanoiu for discovering and reporting the issue.

CPEs

cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.5:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.13:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.12:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.0:*:*:*:*:*:*:*

Timeline

Updated unaffected software versions
Added recommended mitigation measures
Initial Publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure PolicyReport vulnerabilitiesManage subscriptions
© 2025 Palo Alto Networks, Inc. All rights reserved.