CVE-2025-4230
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-13

Last updated on: 2025-06-16

Assigner: Palo Alto Networks, Inc.

Description
A command injection vulnerability in Palo Alto Networks PAN-OSยฎ software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. To be able to exploit this issue, the user must have access to the PAN-OS CLI. The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators. Cloud NGFW and Prismaยฎ Access are not affected by this vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-13
Last Modified
2025-06-16
Generated
2026-05-07
AI Q&A
2025-06-13
EPSS Evaluated
2026-05-05
NVD
CVE-2025-4230
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a command injection flaw in Palo Alto Networks PAN-OS software that allows an authenticated administrator with CLI access to bypass system restrictions and execute arbitrary commands as the root user. Exploiting it requires local CLI access with high privileges but no special user interaction or configuration. It affects certain PAN-OS versions prior to fixed releases and is classified as an OS command injection vulnerability. [1]


How can this vulnerability impact me? :

If exploited, this vulnerability can lead to high risks to the confidentiality, integrity, and availability of the affected PAN-OS system. An attacker with CLI access could run arbitrary root commands, potentially compromising the system's security and stability. However, the risk is minimized if CLI access is restricted to a limited group of administrators. No known exploitation has been reported yet. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves verifying the PAN-OS version running on your devices to see if it falls within the affected versions: 11.2.0 through 11.2.5, 11.1.0 through 11.1.9, 10.2.0 through 10.2.13, and 10.1.0 through 10.1.14-h14. You can check the PAN-OS version by running the CLI command: 'show system info' on your Palo Alto Networks device. There are no specific commands provided to detect exploitation attempts or presence of the vulnerability beyond version checking. Monitoring CLI access logs for unusual or unauthorized command execution by administrators may help detect exploitation attempts. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade affected PAN-OS versions to the fixed releases: 11.2.6 or later, 11.1.10 or later, 10.2.14 or later, and 10.1.14-h15 or later. Additionally, restrict CLI access to a limited group of trusted administrators to minimize the risk of exploitation. There are no other known workarounds or mitigations. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart