CVE-2025-0111 Palo Alto Networks PAN-OS File Read

CVE-2025-0111 is an authenticated file read vulnerability discovered in Palo Alto Networks’ PAN-OS, the operating system that powers the company’s next-generation firewalls. This vulnerability allows an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are accessible by the “nobody” user. The issue was publicly disclosed on February 12, 2025, and has been observed in active exploitation, often in combination with other vulnerabilities, to compromise unpatched systems.

What is Vulnerable to CVE-2025-0111

The following versions of PAN-OS are affected by CVE-2025-0111:

• PAN-OS 11.2: Versions prior to 11.2.4-h4
• PAN-OS 11.1: Versions prior to 11.1.6-h1
• PAN-OS 10.2: Versions prior to 10.2.13-h3
• PAN-OS 10.1: Versions prior to 10.1.14-h9

It’s important to note that Cloud NGFW and Prisma Access software are not affected by this vulnerability.

Mitigation and Remediation for CVE-2025-0111

To protect systems from potential exploitation of CVE-2025-0111, administrators should take the following actions:

1. Update PAN-OS: Upgrade to the latest versions that address this vulnerability:

   • PAN-OS 11.2: Upgrade to 11.2.4-h4 or later
   • PAN-OS 11.1: Upgrade to 11.1.6-h1 or later
   • PAN-OS 10.2: Upgrade to 10.2.13-h3 or later
   • PAN-OS 10.1: Upgrade to 10.1.14-h9 or later

2. Restrict Management Interface Access: Limit access to the management web interface to trusted internal IP addresses only. This can significantly reduce the risk of unauthorized exploitation.

   Palo Alto Networks Security

3. Monitor for Unusual Activity: Regularly inspect system logs and network traffic for signs of unauthorized access or anomalies that may indicate exploitation attempts.

Impact of Successful Exploitation of CVE-2025-0111

Exploiting CVE-2025-0111 allows an authenticated attacker to read sensitive files on the PAN-OS filesystem that are accessible by the “nobody” user. While this vulnerability alone does not grant full system control, the information obtained can be leveraged to facilitate further attacks. Notably, threat actors have been observed chaining this vulnerability with others, such as CVE-2025-0108 (authentication bypass) and CVE-2024-9474 (privilege escalation), to achieve unauthorized access and escalate privileges on unpatched PAN-OS systems.

Proof of Concept for CVE-2025-0111

As of now, there is no publicly available proof-of-concept (PoC) exploit specifically for CVE-2025-0111. However, given the active exploitation of this vulnerability in combination with others, it is crucial for organizations to apply the recommended patches and mitigation strategies promptly to safeguard their systems.

For detailed information and updates, refer to Palo Alto Networks’ official security advisory.