CVE-2025-0127 PAN-OS: Authenticated Admin Command Injection Vulnerability in PAN-OS VM-Series
Description
A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. This issue is only applicable to PAN-OS VM-Series. This issue does not affect firewalls that are already deployed.
Cloud NGFW and Prisma® Access are not affected by this vulnerability.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 11.2 | None on VM-Series | All on VM-Series |
| PAN-OS 11.1 | None on VM-Series | All on VM-Series |
| PAN-OS 11.0 | < 11.0.4 on VM-Series | >= 11.0.4 on VM-Series |
| PAN-OS 10.2 | < 10.2.9 on VM-Series | >= 10.2.9 on VM-Series |
| PAN-OS 10.1 | < 10.1.14-h13 on VM-Series | >= 10.1.14-h13 on VM-Series |
| Prisma Access | None | All |
PAN-OS 11.0, PAN-OS 10.0, PAN-OS 9.1, PAN-OS 9.0, and earlier PAN-OS versions have reached their software end-of-life (EoL) dates and are no longer evaluated for vulnerabilities so we do not plan to fix this issue in these EoL versions. You should presume that these versions are affected.
Required Configuration for Exposure
No special configuration is required to be affected by this issue.
Severity: MEDIUM, Suggested Urgency: MODERATE
CVSS-BT: 4.0 / CVSS-B: 7.1 (CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Solution
| Version | Minor Version | Suggested Solution |
|---|---|---|
| PAN-OS 11.2 on VM-Series | No action needed | |
| PAN-OS 11.1 on VM-Series | No action needed | |
| PAN-OS 11.0 on VM-Series | 11.0.0 through 11.0.3 | Upgrade to 11.0.4 or later |
| PAN-OS 10.2 on VM-Series | 10.2.0 through 10.2.8 | Upgrade to 10.2.9 or later |
| PAN-OS 10.1 on VM-Series | 10.1.0 through 10.1.14 | Upgrade to 10.1.14-h13 or later |
| PAN-OS on non VM-Series platforms | No action needed | |
| All other older unsupported PAN-OS versions | Upgrade to a supported fixed version |
PAN-OS 11.0 is EoL. We listed it in this section for completeness because we added a patch for PAN-OS 11.0 before it reached EoL. If you are running PAN-OS 11.0 in any of your firewalls, we strongly recommend that you upgrade from this EoL vulnerable version to a fixed version.
Workarounds and Mitigations
No workaround or mitigation is available.
Acknowledgments
CPEs
cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:*:*:*:*:*:*:*