Palo Alto Networks Security Advisories /CVE-2025-0110CVE-2025-0110 PAN-OS OpenConfig Plugin: Command Injection Vulnerability in OpenConfig PluginExploit MaturityPOCResponse EffortMODERATERecoveryUSERValue DensityCONCENTRATEDAttack VectorNETWORKAttack ComplexityLOWAttack RequirementsNONEAutomatableNOUser InteractionNONEProduct ConfidentialityHIGHProduct IntegrityHIGHProduct AvailabilityHIGHPrivileges RequiredHIGHSubsequent ConfidentialityNONESubsequent IntegrityNONESubsequent AvailabilityNONECVEJSONCSAF Published2025-02-12 Updated2025-02-12ReferencePLUG-18615DiscoveredexternallyDescriptionA command injection vulnerability in the Palo Alto Networks PAN-OS OpenConfig plugin enables an authenticated administrator with the ability to make gNMI requests to the PAN-OS management web interface to bypass system restrictions and run arbitrary commands. The commands are run as the “__openconfig” user (which has the Device Administrator role) on the firewall.You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines.Product StatusVersionsAffectedUnaffectedPAN-OS OpenConfig Plugin < 2.1.2>= 2.1.2Required Configuration for ExposureYour PAN-OS software is vulnerable to this issue only if you enabled the OpenConfig plugin.OpenConfig plugin version 2.0.1 or later is installed automatically on PAN-OS version 11.0.4 and all later PAN-OS versions.OpenConfig plugin version 2.0.2 or later is installed automatically on PAN-OS version 10.2.11 and later PAN-OS 10.2 versions.The OpenConfig plugin is accessible to administrators on the PAN-OS management interface on port 9339.Follow these steps to check the version of the OpenConfig plugin that you are using:Select Device > PluginCheck the version of the OpenConfig plugin that has a checkmark indicating that it is Currently Installed.Severity:HIGH, Suggested Urgency:MODERATEThe risk is highest when you allow access to the management interface from external IP addresses on the internet.CVSS-BT:7.3 /CVSS-B:8.6 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/AU:N/R:U/V:C/RE:M/U:Amber)You can reduce the risk of exploitation by restricting access to a jump box that is the only system allowed to access the management interface. This will ensure that attacks can succeed only if they obtain privileged access through those specified IP addresses.CVSS-BT:6.6 /CVSS-B:7.5 (CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/AU:N/R:U/V:C/RE:M/U:Amber)Exploitation StatusPalo Alto Networks is not aware of any malicious exploitation of this issue.Weakness Type and ImpactCWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')CAPEC-88 OS Command InjectionSolutionThis issue is fixed in PAN-OS OpenConfig plugin 2.1.2 and all later PAN-OS OpenConfig plugin versions. You can update the OpenConfig plugin without updating your PAN-OS version by following our process for upgrading Panorama plugins.OpenConfig Plugin 2.1.2 is available by default on PAN-OS 11.2.5 and all later PAN-OS versions.Workarounds and MitigationsRecommended mitigation—The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our best practices deployment guidelines. Specifically, you should restrict management interface access to only trusted internal IP addresses.Review information about how to secure management access to your Palo Alto Networks firewalls:If you do not use the OpenConfig plugin, disable or uninstall it by following these steps:Select Device > Plugins.Locate the installed OpenConfig plugin.Remove Config to disable the OpenConfig pluginORUninstall the OpenConfig plugin.AcknowledgmentsPalo Alto Networks thanks Google GDCE for discovering and reporting the issue.Timeline2025-02-12Initial Publication
