CVE-2025-4231

PAN-OS: Authenticated Admin Command Injection Vulnerability in the Management Web Interface

Description

A command injection vulnerability in Palo Alto Networks PAN-OS® enables an authenticated administrative user to perform actions as the root user. The attacker must have network access to the management web interface and successfully authenticate to exploit this issue. Cloud NGFW and Prisma Access are not impacted by this vulnerability.

Remediation

Solution:

  • Version Minor Version Suggested Solution PAN-OS 11.2 No action needed.PAN-OS 11.1 No action needed. PAN-OS 11.0* 11.0.0 through 11.0.2 Upgrade to 11.0.3 or later. PAN-OS 10.2 10.2.0 through 10.2.7 Upgrade to 10.2.8 or later. PAN-OS 10.1Upgrade to 10.2.8 or 11.0.3 or later.All older unsupported PAN-OS versions Upgrade to a supported fixed version. *PAN-OS 11.0 has reached EoL. We listed it here for completeness because a patch for PAN-OS 11.0 was released before it reached EoL. If you are still using any vulnerable EoL versions, we strongly recommend that you upgrade to a supported fixed PAN-OS version.

Workaround:

  • Recommended mitigation—The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 * Palo Alto Networks official and detailed technical documentation: https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices

Category

8.6
CVSS
Severity: High
CVSS 4.0 •
EPSS 0.26%
Vendor Advisory paloaltonetworks.com
Affected: Palo Alto Networks Cloud NGFW
Affected: Palo Alto Networks PAN-OS
Affected: Palo Alto Networks Prisma Access
Published at:
Updated at:

References

Link Tags
https://security.paloaltonetworks.com/CVE-2025-4231 vendor advisory

Frequently Asked Questions

What is the severity of CVE-2025-4231?
CVE-2025-4231 has been scored as a high severity vulnerability.
How to fix CVE-2025-4231?
To fix CVE-2025-4231: Version Minor Version Suggested Solution PAN-OS 11.2 No action needed.PAN-OS 11.1 No action needed. PAN-OS 11.0* 11.0.0 through 11.0.2 Upgrade to 11.0.3 or later. PAN-OS 10.2 10.2.0 through 10.2.7 Upgrade to 10.2.8 or later. PAN-OS 10.1Upgrade to 10.2.8 or 11.0.3 or later.All older unsupported PAN-OS versions Upgrade to a supported fixed version. *PAN-OS 11.0 has reached EoL. We listed it here for completeness because a patch for PAN-OS 11.0 was released before it reached EoL. If you are still using any vulnerable EoL versions, we strongly recommend that you upgrade to a supported fixed PAN-OS version.
Is CVE-2025-4231 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-4231 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-4231?
CVE-2025-4231 affects Palo Alto Networks Cloud NGFW, Palo Alto Networks PAN-OS, Palo Alto Networks Prisma Access.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.