cbcvebase.
CVE-2025-0111
published 2025-02-12

CVE-2025-0111: An authenticated file read vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker with network access to the management web…

PriorityP181medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-03-13
Exploited in the wild
EPSS
1.86%
76.6th percentile
An authenticated file read vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the “nobody” user. You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue does not affect Cloud NGFW or Prisma Access software.

Affected

20 ranges
VendorProductVersion rangeFixed in
palo_alto_networkspan-os>= 10.1.0 < 10.1.14-h910.1.14-h9
palo_alto_networkspan-os>= 10.2.0 < 10.2.7-h2410.2.7-h24
palo_alto_networkspan-os>= 11.1.0 < 11.1.6-h111.1.6-h1
palo_alto_networkspan-os>= 11.2.0 < 11.2.4-h411.2.4-h4
paloaltocloud_ngfw
paloaltopan-os
paloaltoprisma_access
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os>= 10.1.0 < 10.1.1410.1.14
paloaltonetworkspan-os>= 10.2.0 < 10.2.710.2.7
paloaltonetworkspan-os>= 10.2.10 < 10.2.1210.2.12
paloaltonetworkspan-os>= 11.0.0 < 11.1.611.1.6
paloaltonetworkspan-os>= 11.2.0 < 11.2.411.2.4

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2025-0111 is actively chained with CVE-2025-0108 and CVE-2024-9474 in exploit chains targeting PAN-OS management web interfaces — detect concurrent exploitation attempts across all three CVEs on the same host
  • The exploit chain targeting CVE-2025-0111 is used to download configuration files and other sensitive information from PAN-OS devices — monitor for unusual file read activity or config file exfiltration from the management interface
  • Top attack source geolocations for the exploit chain are the United States, Germany, and the Netherlands — use as a contextual enrichment signal when triaging management interface access logs
  • ·CVE-2025-0111 does not affect Cloud NGFW or Prisma Access — scope detection rules to on-premises PAN-OS deployments only
  • ·As of the reporting period, 65% of internet-exposed PAN-OS devices (2,262 out of 3,490) remained vulnerable to all three chained CVEs — prioritize detection on externally reachable management interfaces
  • ·1,168 devices had patched CVE-2024-9474 but not CVE-2025-0108 and CVE-2025-0111 — partial patching still leaves devices exposed to the full exploit chain

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv4.07.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Red
vulncheck8.8HIGH
cisa7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.