[Palo Alto Networks Security Advisories] CVE-2025-0110 PAN-OS OpenConfig Plugin: Command Injection Vulnerability inOpenConfig Plugin

February 21, 2025

Palo Alto Networks Security Advisories /CVE-2025-0110

CVE-2025-0110 PAN-OS OpenConfig Plugin: Command Injection Vulnerability in OpenConfig Plugin

UrgencyMODERATE

047910
Severity7.3 ·HIGH
Exploit MaturityPOC
Response EffortMODERATE
RecoveryUSER
Value DensityCONCENTRATED
Attack VectorNETWORK
Attack ComplexityLOW
Attack RequirementsNONE
AutomatableNO
User InteractionNONE
Product ConfidentialityHIGH
Product IntegrityHIGH
Product AvailabilityHIGH
Privileges RequiredHIGH
Subsequent ConfidentialityNONE
Subsequent IntegrityNONE
Subsequent AvailabilityNONE
CVEJSONCSAF
Published2025-02-12
Updated2025-02-21
ReferencePLUG-18615
Discoveredexternally

Description

A command injection vulnerability in the Palo Alto Networks PAN-OS OpenConfig plugin enables an authenticated administrator with the ability to make gNMI requests to the PAN-OS management web interface to bypass system restrictions and run arbitrary commands. The commands are run as the “__openconfig” user (which has the Device Administrator role) on the firewall.

You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines.

Product Status

VersionsAffectedUnaffected
PAN-OS OpenConfig Plugin < 2.1.2>= 2.1.2

Required Configuration for Exposure

Your PAN-OS software is vulnerable to this issue only if you enabled the OpenConfig plugin.

  • OpenConfig plugin version 2.0.1 or later is installed automatically on PAN-OS version 11.0.4 and all later PAN-OS versions.
  • OpenConfig plugin version 2.0.2 or later is installed automatically on PAN-OS version 10.2.11 and later PAN-OS 10.2 versions.

The OpenConfig plugin is accessible to administrators on the PAN-OS management interface on port 9339.

Follow these steps to check the version of the OpenConfig plugin that you are using:

  1. Select Device Plugin
  2. Check the version of the OpenConfig plugin that has a checkmark indicating that it is Currently Installed.

Aviwj0hI+SKdYIDQ0YPSeYggAALuKtpPkcwyjAAAAAElFTkSuQmCC

Severity:HIGH, Suggested Urgency:MODERATE

The risk is highest when you allow access to the management interface from external IP addresses on the internet.
CVSS-BT:7.3 /CVSS-B:8.6 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/AU:N/R:U/V:C/RE:M/U:Amber)

You can reduce the risk of exploitation by restricting access to a jump box that is the only system allowed to access the management interface. This will ensure that attacks can succeed only if they obtain privileged access through those specified IP addresses.
CVSS-BT:6.6 /CVSS-B:7.5 (CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/AU:N/R:U/V:C/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue. Palo Alto Networks is aware of a public blog discussing this issue.

Weakness Type and Impact

CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

CAPEC-88 OS Command Injection

Solution

This issue is fixed in PAN-OS OpenConfig plugin 2.1.2 and all later PAN-OS OpenConfig plugin versions. You can update the OpenConfig plugin without updating your PAN-OS version by following our process for upgrading Panorama plugins.

OpenConfig Plugin 2.1.2 is available by default on PAN-OS 11.2.5 and all later PAN-OS versions.

Workarounds and Mitigations

Recommended mitigation—The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our best practices deployment guidelines. Specifically, you should restrict management interface access to only trusted internal IP addresses.

Review information about how to secure management access to your Palo Alto Networks firewalls:

If you do not use the OpenConfig plugin, disable or uninstall it by following these steps:
  1. Select Device > Plugins.
  2. Locate the installed OpenConfig plugin.
  3. Remove Config to disable the OpenConfig plugin
    OR
    Uninstall the OpenConfig plugin.

Acknowledgments

Palo Alto Networks thanks Google GDCE for discovering and reporting the issue.

Timeline

Updated the exploit status section
Initial Publication

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

To keep up to date follow us on the below channels.

Tags: , ,

[Palo Alto Networks Security Advisories] CVE-2025-0110 PAN-OS OpenConfig Plugin: Command Injection Vulnerability inOpenConfig Plugin

February 21, 2025

Palo Alto Networks Security Advisories /CVE-2025-0110

CVE-2025-0110 PAN-OS OpenConfig Plugin: Command Injection Vulnerability in OpenConfig Plugin

UrgencyMODERATE

047910
Severity7.3 ·HIGH
Exploit MaturityPOC
Response EffortMODERATE
RecoveryUSER
Value DensityCONCENTRATED
Attack VectorNETWORK
Attack ComplexityLOW
Attack RequirementsNONE
AutomatableNO
User InteractionNONE
Product ConfidentialityHIGH
Product IntegrityHIGH
Product AvailabilityHIGH
Privileges RequiredHIGH
Subsequent ConfidentialityNONE
Subsequent IntegrityNONE
Subsequent AvailabilityNONE
CVEJSONCSAF
Published2025-02-12
Updated2025-02-21
ReferencePLUG-18615
Discoveredexternally

Description

A command injection vulnerability in the Palo Alto Networks PAN-OS OpenConfig plugin enables an authenticated administrator with the ability to make gNMI requests to the PAN-OS management web interface to bypass system restrictions and run arbitrary commands. The commands are run as the “__openconfig” user (which has the Device Administrator role) on the firewall.

You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines.

Product Status

VersionsAffectedUnaffected
PAN-OS OpenConfig Plugin < 2.1.2>= 2.1.2

Required Configuration for Exposure

Your PAN-OS software is vulnerable to this issue only if you enabled the OpenConfig plugin.

  • OpenConfig plugin version 2.0.1 or later is installed automatically on PAN-OS version 11.0.4 and all later PAN-OS versions.
  • OpenConfig plugin version 2.0.2 or later is installed automatically on PAN-OS version 10.2.11 and later PAN-OS 10.2 versions.

The OpenConfig plugin is accessible to administrators on the PAN-OS management interface on port 9339.

Follow these steps to check the version of the OpenConfig plugin that you are using:

  1. Select Device Plugin
  2. Check the version of the OpenConfig plugin that has a checkmark indicating that it is Currently Installed.

Aviwj0hI+SKdYIDQ0YPSeYggAALuKtpPkcwyjAAAAAElFTkSuQmCC

Severity:HIGH, Suggested Urgency:MODERATE

The risk is highest when you allow access to the management interface from external IP addresses on the internet.
CVSS-BT:7.3 /CVSS-B:8.6 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/AU:N/R:U/V:C/RE:M/U:Amber)

You can reduce the risk of exploitation by restricting access to a jump box that is the only system allowed to access the management interface. This will ensure that attacks can succeed only if they obtain privileged access through those specified IP addresses.
CVSS-BT:6.6 /CVSS-B:7.5 (CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/AU:N/R:U/V:C/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue. Palo Alto Networks is aware of a public blog discussing this issue.

Weakness Type and Impact

CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

CAPEC-88 OS Command Injection

Solution

This issue is fixed in PAN-OS OpenConfig plugin 2.1.2 and all later PAN-OS OpenConfig plugin versions. You can update the OpenConfig plugin without updating your PAN-OS version by following our process for upgrading Panorama plugins.

OpenConfig Plugin 2.1.2 is available by default on PAN-OS 11.2.5 and all later PAN-OS versions.

Workarounds and Mitigations

Recommended mitigation—The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our best practices deployment guidelines. Specifically, you should restrict management interface access to only trusted internal IP addresses.

Review information about how to secure management access to your Palo Alto Networks firewalls:

If you do not use the OpenConfig plugin, disable or uninstall it by following these steps:
  1. Select Device > Plugins.
  2. Locate the installed OpenConfig plugin.
  3. Remove Config to disable the OpenConfig plugin
    OR
    Uninstall the OpenConfig plugin.

Acknowledgments

Palo Alto Networks thanks Google GDCE for discovering and reporting the issue.

Timeline

Updated the exploit status section
Initial Publication

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

To keep up to date follow us on the below channels.

Tags: , ,

You may have missed

image

CVE Alert: CVE-2025-25878

February 22, 2025
image

CVE Alert: CVE-2020-19248

February 22, 2025
image

CVE Alert: CVE-2025-25877

February 22, 2025
image

CVE Alert: CVE-2025-25772

February 22, 2025
image

CVE Alert: CVE-2025-25605

February 22, 2025