CVE-2025-4615 — Improper Neutralization of Script in Attributes in a Web Page in Palo Alto Networks Pan-os

CWE-83 — Improper Neutralization of Script in Attributes in a Web Page4 documents4 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 83.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Palo Alto Networks Pan-os Paloaltonetworks Pan-os Paloalto Cloud Ngfw +2 more

Timeline

PublishedOct 9

Description

An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrictions and execute arbitrary commands. The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators. Cloud NGFW and Prisma® Access are not affected by this vulnerability.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages5 packages

▶Palo Altopaloalto/cloud_ngfw

▶Palo Altopaloalto/prisma_access

▶NVDpaloaltonetworks/pan-os10.2.0 — 10.2.17+2

▶CVEListV5palo_alto_networks/pan-os11.2.0 — 11.2.8+2

▶Palo Altopaloalto/pan-os

🔴Vulnerability Details

GHSA

GHSA-9w5h-px4f-8h8m: An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables an authenticated adm↗2025-10-09

▶

CVEList

PAN-OS: Improper Neutralization of Input in the Management Web Interface↗2025-10-09

▶

📋Vendor Advisories

Palo Alto

PAN-OS: Improper Neutralization of Input in the Management Web Interface↗

▶