CVE-2025-0111
published 2025-02-12CVE-2025-0111: An authenticated file read vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker with network access to the management web…
PriorityP181medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-03-13
Exploited in the wild
EPSS
1.86%
76.6th percentile
An authenticated file read vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the “nobody” user.
You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
This issue does not affect Cloud NGFW or Prisma Access software.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| palo_alto_networks | pan-os | >= 10.1.0 < 10.1.14-h9 | 10.1.14-h9 |
| palo_alto_networks | pan-os | >= 10.2.0 < 10.2.7-h24 | 10.2.7-h24 |
| palo_alto_networks | pan-os | >= 11.1.0 < 11.1.6-h1 | 11.1.6-h1 |
| palo_alto_networks | pan-os | >= 11.2.0 < 11.2.4-h4 | 11.2.4-h4 |
| paloalto | cloud_ngfw | — | — |
| paloalto | pan-os | — | — |
| paloalto | prisma_access | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | >= 10.1.0 < 10.1.14 | 10.1.14 |
| paloaltonetworks | pan-os | >= 10.2.0 < 10.2.7 | 10.2.7 |
| paloaltonetworks | pan-os | >= 10.2.10 < 10.2.12 | 10.2.12 |
| paloaltonetworks | pan-os | >= 11.0.0 < 11.1.6 | 11.1.6 |
| paloaltonetworks | pan-os | >= 11.2.0 < 11.2.4 | 11.2.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-0111 is actively chained with CVE-2025-0108 and CVE-2024-9474 in exploit chains targeting PAN-OS management web interfaces — detect concurrent exploitation attempts across all three CVEs on the same host ↗
- →The exploit chain targeting CVE-2025-0111 is used to download configuration files and other sensitive information from PAN-OS devices — monitor for unusual file read activity or config file exfiltration from the management interface ↗
- →Top attack source geolocations for the exploit chain are the United States, Germany, and the Netherlands — use as a contextual enrichment signal when triaging management interface access logs ↗
- ·CVE-2025-0111 does not affect Cloud NGFW or Prisma Access — scope detection rules to on-premises PAN-OS deployments only ↗
- ·As of the reporting period, 65% of internet-exposed PAN-OS devices (2,262 out of 3,490) remained vulnerable to all three chained CVEs — prioritize detection on externally reachable management interfaces ↗
- ·1,168 devices had patched CVE-2024-9474 but not CVE-2025-0108 and CVE-2025-0111 — partial patching still leaves devices exposed to the full exploit chain ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv4.07.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Red
vulncheck8.8HIGH
cisa7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wmcv-pj3g-38rp: An authenticated file read vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker with network access to the manage
ghsa_unreviewed·2025-02-12
CVE-2025-0111 [HIGH] CWE-610 GHSA-wmcv-pj3g-38rp: An authenticated file read vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker with network access to the manage
An authenticated file read vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the “nobody” user.
You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
This issue does not affect Cloud NGFW or Prisma Access software.
VulnCheck
Palo Alto Networks PAN-OS File Read Vulnerability
vulncheck·2025·CVSS 8.8
CVE-2025-0111 [HIGH] CWE-73 Palo Alto Networks PAN-OS File Read Vulnerability
Palo Alto Networks PAN-OS File Read Vulnerability
Palo Alto Networks PAN-OS contains an external control of file name or path vulnerability. Successful exploitation enables an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the “nobody” user.
Affected: Palo Alto Networks PAN-OS
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://security.paloaltonetworks.com/CVE-2025-0108; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.loginsoft.com/reports/annually/vulnerability-intelligence-report-2025
Remediation Due: 2025-03-13
CISA
Palo Alto Networks PAN-OS File Read Vulnerability
cisa·2025-02-20·CVSS 7.1
CVE-2025-0111 [HIGH] CWE-73 Palo Alto Networks PAN-OS File Read Vulnerability
Vulnerability: Palo Alto Networks PAN-OS File Read Vulnerability
Affected: Palo Alto Networks PAN-OS
Palo Alto Networks PAN-OS contains an external control of file name or path vulnerability. Successful exploitation enables an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the “nobody” user.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://security.paloaltonetworks.com/CVE-2025-0111 ; https://nvd.nist.gov/vuln/detail/CVE-2025-0111
Remediation Due Date: 2025-03-13
Palo Alto
PAN-OS: Authenticated File Read Vulnerability in the Management Web Interface
vendor_paloalto·CVSS 7.1
CVE-2025-0111 [HIGH] CWE-73 PAN-OS: Authenticated File Read Vulnerability in the Management Web Interface
PAN-OS: Authenticated File Read Vulnerability in the Management Web Interface
An authenticated file read vulnerability in the management web interface of the Palo Alto Networks PAN-OS software enables an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the “nobody” user.
The attacker must have network access to the management web interface to exploit this issue. You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended critical deployment guidelines (https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431).
This issue doe
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Palo Alto Networks warns of DoS bug letting hackers disable firewalls
blogs_bleepingcomputer·2026-01-15·CVSS 6.6
CVE-2026-0227 [MEDIUM] Palo Alto Networks warns of DoS bug letting hackers disable firewalls
## Palo Alto Networks warns of DoS bug letting hackers disable firewalls
## Sergiu Gatlan
Palo Alto Networks patched a high-severity vulnerability that could allow unauthenticated attackers to disable firewall protections in denial-of-service (DoS) attacks.
Tracked as CVE-2026-0227, this security flaw affects next-generation firewalls (running PAN-OS 10.1 or later) and Palo Alto Networks' Prisma Access configurations when the GlobalProtect gateway or portal is enabled.
The cybersecurity company says that most cloud-based Prisma Access instances have already been patched, with those left to be secured already scheduled for an upgrade.
"A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall. Repeated a
Bleepingcomputer
GlobalProtect VPN portals probed with 2.3 million scan sessions
blogs_bleepingcomputer·2025-11-20
GlobalProtect VPN portals probed with 2.3 million scan sessions
## GlobalProtect VPN portals probed with 2.3 million scan sessions
## Bill Toulas
Malicious scanning activity targeting Palo Alto Networks GlobalProtect VPN login portals has increased 40 times in 24 hours, indicating a coordinated campaign.
Real-time intelligence company GreyNoise reports that activity began climbing on November 14 and hit its highest level in 90 days within a week.
"GreyNoise has identified a significant escalation in malicious activity targeting Palo Alto Networks GlobalProtect portals," reads the bulletin .
"Beginning on 14 November 2025, activity rapidly intensified, culminating in a 40x surge within 24 hours, marking a new 90-day high."
In early October, GreyNoise reported a 500% increase in IP addresses scanning Palo Alto Networks GlobalProtect and PAN-OS prof
Wiz
Crying Out Cloud Newsletter - March 2025 | Wiz
blogs_wiz·2025-03-01·CVSS 9.8
CVE-2025-0108 [CRITICAL] Crying Out Cloud Newsletter - March 2025 | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks of cloud security highlights!
Hype or no hype – Authentication Bypass Vulnerability in PAN-OS Exploited in-the-Wild
Attackers are actively exploiting CVE-2025-0108, a high-severity authentication bypass vulnerability in Palo Alto Networks PAN-OS firewalls. The flaw allows unauthenticated attackers with network access to invoke PHP scripts and potentially compromise firewall integrity and confidentiality. Researchers at Assetnote disclosed exploitation details, and active attacks have been observed since February 13, 2025.
At first, the value of this vulnerability for attackers was slightly unclear, since it “
Bleepingcomputer
CISA flags Craft CMS code injection flaw as exploited in attacks
blogs_bleepingcomputer·2025-02-21·CVSS 6.9
CVE-2025-23209 [MEDIUM] CISA flags Craft CMS code injection flaw as exploited in attacks
## CISA flags Craft CMS code injection flaw as exploited in attacks
## Bill Toulas
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) warns that a Craft CMS remote code execution flaw is being exploited in attacks.
The flaw is tracked as CVE-2025-23209 and is a high severity (CVSS v3 score: 8.0) code injection (RCE) vulnerability impacting Craft CMS versions 4 and 5.
Craft CMS is a content management system (CMS) used for building websites and custom digital experiences.
Not many technical details about CVE-2025-23209 are available, but exploitation isn't easy, as it requires the installation's security key to have already been compromised.
In Craft CMS, the security key is a cryptographic key that secures user authentication tokens, session cookies, database values, and
Bleepingcomputer
Palo Alto Networks tags new firewall bug as exploited in attacks
blogs_bleepingcomputer·2025-02-19·CVSS 6.9
CVE-2025-0111 [MEDIUM] Palo Alto Networks tags new firewall bug as exploited in attacks
## Palo Alto Networks tags new firewall bug as exploited in attacks
## Bill Toulas
Palo Alto Networks warns that a file read vulnerability (CVE-2025-0111) is now being chained in attacks with two other flaws (CVE-2025-0108 with CVE-2024-9474) to breach PAN-OS firewalls in active attacks.
The vendor first disclosed the authentication bypass vulnerability tracked as CVE-2025-0108 on February 12, 2025, releasing patches to fix the vulnerability. That same day, Assetnote researchers published a proof-of-concept exploit demonstrating how CVE-2025-0108 and CVE-2024-9474 could be chained together to gain root privileges on unpatched PAN-OS firewalls.
A day later, network threat intel firm GreyNoise reported that threat actors had begun actively exploiting the flaws , with attempts coming from
2025-02-12
Published
2025-02-20
Added to CISA KEV
Exploited in the wild