do son 
A Google researcher has disclosed details and a proof-of-concept (PoC) exploit for a vulnerability (CVE-2025-0110) in Palo Alto Networks’ PAN-OS firewall software. The vulnerability, assigned a CVSSv4 score of 8.6 (High), could allow an authenticated attacker to execute arbitrary commands on the underlying operating system with administrator privileges.
The vulnerability resides in the PAN-OS OpenConfig plugin, which enables the retrieval of system logs through the gnmi.Subscribe function. By manipulating the type parameter in an OpenConfig API request, an attacker can inject and execute arbitrary bash commands on the firewall.
The vulnerability is triggered using a specially crafted request that abuses the XPATH query structure in the OpenConfig API:
Using the gnmic tool, an attacker can execute arbitrary bash commands on the PAN-OS device:
The response confirms successful execution of the command, proving the system’s susceptibility to command injection.
The vulnerability affects PAN-OS deployments where OpenConfig Plugin is enabled, including:
- PAN-OS 11.0.4 and later (ships with OpenConfig 2.0.1+)
- PAN-OS 10.2.11 and later (ships with OpenConfig 2.0.2+)
The OpenConfig API is accessible via the PAN-OS management interface on port 9339, making it a significant security risk if exposed.
Palo Alto Networks has released a security fix in OpenConfig Plugin version 2.1.2, included in PAN-OS 11.2.5 and later. Users can mitigate the risk by:
- Updating OpenConfig Plugin to version 2.1.2 or later.
- Disabling or uninstalling OpenConfig Plugin if not required.
- Restricting management interface access to trusted networks.
Related Posts:
- Palo Alto Networks Investigates Potential Remote Code Execution Vulnerability in PAN-OS
- Palo Alto Networks Raises Alarm on Firewall Vulnerability Following Active Exploitation
- CVE-2024-3393: PAN-OS Vulnerability Now Exploited in the Wild
- CISA Warns of Actively Exploited Palo Alto Firewall Flaw (CVE-2024-3393)
