Cloud NGFW

Description

Product name

cloud ngfw

CVE-2025-2182 (GCVE-0-2025-2182)
Vulnerability from
Published
2025-08-13 17:03
Modified
2025-08-13 20:32
Severity ?
5.6 (Medium) - CVSS:4.0/AV:P/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/AU:N/R:A/V:D/RE:M/U:Amber
CWE
  • CWE-312 - Cleartext Storage of Sensitive Information
Summary
A problem with the implementation of the MACsec protocol in Palo Alto Networks PAN-OS® results in the cleartext exposure of the connectivity association key (CAK). This issue is only applicable to PA-7500 Series devices which are in an NGFW cluster. A user who possesses this key can read messages being sent between devices in a NGFW Cluster. There is no impact in non-clustered firewalls or clusters of firewalls that do not enable MACsec.
References
Impacted products
Vendor Product Version
Palo Alto Networks Cloud NGFW Patch: All   < 3.2.449
 Create a notification for this product.
   Palo Alto Networks PAN-OS Version: 11.2.0   < 11.2.8
Version: 11.1.0   < 11.1.10
Patch: 10.2.0
Patch: 10.1.0
    cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:*:*:*:*:*:PA-7500:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.2.6:*:*:*:*:*:PA-7500:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.2.5:*:*:*:*:*:PA-7500:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:*:*:*:*:*:PA-7500:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:*:*:*:*:*:PA-7500:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.2.2:*:*:*:*:*:PA-7500:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.2.1:*:*:*:*:*:PA-7500:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.2.0:*:*:*:*:*:PA-7500:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.9:*:*:*:*:*:PA-7500:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.8:*:*:*:*:*:PA-7500:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:*:*:*:*:*:PA-7500:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.5:*:*:*:*:*:PA-7500:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:*:*:*:*:*:PA-7500:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.3:*:*:*:*:*:PA-7500:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.2:*:*:*:*:*:PA-7500:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.1:*:*:*:*:*:PA-7500:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.0:*:*:*:*:*:PA-7500:*
 Create a notification for this product.
   Palo Alto Networks PAN-OS Patch: All
 Create a notification for this product.
   Palo Alto Networks Prisma Access Patch: All
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-2182",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-13T20:32:04.428121Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-13T20:32:15.474Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Cloud NGFW",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "changes": [
                {
                  "at": "3.2.449",
                  "status": "unaffected"
                }
              ],
              "lessThan": "3.2.449",
              "status": "unaffected",
              "version": "All",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:*:*:*:*:*:PA-7500:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.2.6:*:*:*:*:*:PA-7500:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.2.5:*:*:*:*:*:PA-7500:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:*:*:*:*:*:PA-7500:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:*:*:*:*:*:PA-7500:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.2.2:*:*:*:*:*:PA-7500:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.2.1:*:*:*:*:*:PA-7500:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.2.0:*:*:*:*:*:PA-7500:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.9:*:*:*:*:*:PA-7500:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.8:*:*:*:*:*:PA-7500:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:*:*:*:*:*:PA-7500:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.5:*:*:*:*:*:PA-7500:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:*:*:*:*:*:PA-7500:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.3:*:*:*:*:*:PA-7500:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.2:*:*:*:*:*:PA-7500:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.1:*:*:*:*:*:PA-7500:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.0:*:*:*:*:*:PA-7500:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "Clusters"
          ],
          "platforms": [
            "PA-7500"
          ],
          "product": "PAN-OS",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "changes": [
                {
                  "at": "11.2.8",
                  "status": "unaffected"
                }
              ],
              "lessThan": "11.2.8",
              "status": "affected",
              "version": "11.2.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "11.1.10",
                  "status": "unaffected"
                }
              ],
              "lessThan": "11.1.10",
              "status": "affected",
              "version": "11.1.0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "10.2.0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "10.1.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "devices other than PA-7500"
          ],
          "product": "PAN-OS",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "All",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Prisma Access",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "All",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "eng",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe following conditions must be true to be vulnerable to this issue:\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cp\u003eYour PA-7500 Series devices must be in an NGFW cluster. For more information regarding NGFW Clusters see our \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/ngfw-clustering/ngfw-clusters\"\u003edocumentation\u003c/a\u003e.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eA MACsec policy must be configured and enabled for the NGFW cluster. For more information about MACsec profiles please see our \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-web-interface-help/network/network-network-profiles/network-network-profiles-macsec-profile\"\u003edocumentation\u003c/a\u003e.\u003c/p\u003e\u003c/li\u003e\u003c/ol\u003e\u003cb\u003e\u003c/b\u003e"
            }
          ],
          "value": "The following conditions must be true to be vulnerable to this issue:\n\n  *  Your PA-7500 Series devices must be in an NGFW cluster. For more information regarding NGFW Clusters see our  documentation https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/ngfw-clustering/ngfw-clusters .\n\n\n  *  A MACsec policy must be configured and enabled for the NGFW cluster. For more information about MACsec profiles please see our  documentation https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-web-interface-help/network/network-network-profiles/network-network-profiles-macsec-profile ."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This issue was found during an internal security review."
        }
      ],
      "datePublic": "2025-08-13T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A problem with the implementation of the MACsec protocol in Palo Alto Networks PAN-OS\u00ae results in the cleartext exposure of the connectivity association key (CAK). This issue is only applicable to PA-7500 Series devices which are in an NGFW cluster.\u003cbr\u003eA user who possesses this key can read messages being sent between devices in a NGFW Cluster. There is no impact in non-clustered firewalls or clusters of firewalls that do not enable MACsec.\u0026nbsp;\u003cbr\u003e\u003cp\u003e\u003c/p\u003e"
            }
          ],
          "value": "A problem with the implementation of the MACsec protocol in Palo Alto Networks PAN-OS\u00ae results in the cleartext exposure of the connectivity association key (CAK). This issue is only applicable to PA-7500 Series devices which are in an NGFW cluster.\nA user who possesses this key can read messages being sent between devices in a NGFW Cluster. There is no impact in non-clustered firewalls or clusters of firewalls that do not enable MACsec."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
            }
          ],
          "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-158",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-158 Sniffing Network Traffic"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "AUTOMATIC",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "PHYSICAL",
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "HIGH",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "DIFFUSE",
            "vectorString": "CVSS:4.0/AV:P/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/AU:N/R:A/V:D/RE:M/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-312",
              "description": "CWE-312 Cleartext Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-13T17:03:21.617Z",
        "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
        "shortName": "palo_alto"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.paloaltonetworks.com/CVE-2025-2182"
        }
      ],
      "solutions": [
        {
          "lang": "eng",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003cbr\u003e\u003c/th\u003e\u003cth\u003eMinor Version\u003cbr\u003e\u003c/th\u003e\u003cth\u003eSuggested Solution\u003cbr\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eCloud NGFW\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\n                                    \u003ctd\u003ePAN-OS 11.2 on PA-7500\u003cbr\u003e\u003c/td\u003e\n                                    \u003ctd\u003e11.2.0 through 11.2.7\u003c/td\u003e\n                                    \u003ctd\u003eUpgrade to 11.2.8 or later.\u003c/td\u003e\n                                \u003c/tr\u003e\u003ctr\u003e\n                                    \u003ctd\u003ePAN-OS 11.1 on PA-7500\u003cbr\u003e\u003c/td\u003e\n                                    \u003ctd\u003e11.1.0 through 11.1.9\u003c/td\u003e\n                                    \u003ctd\u003eUpgrade to 11.1.10 or later.\u003c/td\u003e\n                                \u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 10.2 on PA-7500\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 10.1 on PA-7500\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS on devices other than PA-7500\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAll older\u003cbr\u003eunsupported\u003cbr\u003ePAN-OS versions\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003eUpgrade to a supported fixed version.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePrisma Access\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"
            }
          ],
          "value": "Version\nMinor Version\nSuggested Solution\nCloud NGFW\nNo action needed.\n                                    PAN-OS 11.2 on PA-7500\n\n                                    11.2.0 through 11.2.7\n                                    Upgrade to 11.2.8 or later.\n                                \n                                    PAN-OS 11.1 on PA-7500\n\n                                    11.1.0 through 11.1.9\n                                    Upgrade to 11.1.10 or later.\n                                PAN-OS 10.2 on PA-7500\nNo action needed.PAN-OS 10.1 on PA-7500\nNo action needed.PAN-OS on devices other than PA-7500\nNo action needed.All older\nunsupported\nPAN-OS versions\u00a0Upgrade to a supported fixed version.Prisma Access\nNo action needed."
        }
      ],
      "source": {
        "defect": [
          "PAN-284490"
        ],
        "discovery": "INTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-08-13T16:00:00.000Z",
          "value": "Initial Publication"
        }
      ],
      "title": "PAN-OS: Firewall Clusters using the MACsec Protocol Expose the Connectivity Association Key (CAK)",
      "workarounds": [
        {
          "lang": "eng",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "No known workarounds exist for this issue."
            }
          ],
          "value": "No known workarounds exist for this issue."
        }
      ],
      "x_affectedList": [
        "PAN-OS 11.2.7-h2",
        "PAN-OS 11.2.7-h1",
        "PAN-OS 11.2.7",
        "PAN-OS 11.2.6",
        "PAN-OS 11.2.5",
        "PAN-OS 11.2.4-h11",
        "PAN-OS 11.2.4-h10",
        "PAN-OS 11.2.4-h9",
        "PAN-OS 11.2.4-h8",
        "PAN-OS 11.2.4-h7",
        "PAN-OS 11.2.4-h6",
        "PAN-OS 11.2.4-h5",
        "PAN-OS 11.2.4-h4",
        "PAN-OS 11.2.4-h3",
        "PAN-OS 11.2.4-h2",
        "PAN-OS 11.2.4-h1",
        "PAN-OS 11.2.4",
        "PAN-OS 11.2.3-h5",
        "PAN-OS 11.2.3-h4",
        "PAN-OS 11.2.3-h3",
        "PAN-OS 11.2.3-h2",
        "PAN-OS 11.2.3-h1",
        "PAN-OS 11.2.3",
        "PAN-OS 11.2.2-h2",
        "PAN-OS 11.2.2-h1",
        "PAN-OS 11.2.1-h1",
        "PAN-OS 11.2.1",
        "PAN-OS 11.2.0-h1",
        "PAN-OS 11.2.0",
        "PAN-OS 11.1.9",
        "PAN-OS 11.1.8",
        "PAN-OS 11.1.6-h14",
        "PAN-OS 11.1.6-h10",
        "PAN-OS 11.1.6-h7",
        "PAN-OS 11.1.6-h6",
        "PAN-OS 11.1.6-h4",
        "PAN-OS 11.1.6-h3",
        "PAN-OS 11.1.6-h2",
        "PAN-OS 11.1.6-h1",
        "PAN-OS 11.1.6",
        "PAN-OS 11.1.5-h1",
        "PAN-OS 11.1.5",
        "PAN-OS 11.1.4-h18",
        "PAN-OS 11.1.4-h17",
        "PAN-OS 11.1.4-h15",
        "PAN-OS 11.1.4-h13",
        "PAN-OS 11.1.4-h12",
        "PAN-OS 11.1.4-h11",
        "PAN-OS 11.1.4-h10",
        "PAN-OS 11.1.4-h9",
        "PAN-OS 11.1.4-h8",
        "PAN-OS 11.1.4-h7",
        "PAN-OS 11.1.4-h6",
        "PAN-OS 11.1.4-h5",
        "PAN-OS 11.1.4-h4",
        "PAN-OS 11.1.4-h3",
        "PAN-OS 11.1.4-h2",
        "PAN-OS 11.1.4-h1",
        "PAN-OS 11.1.4",
        "PAN-OS 11.1.3-h13",
        "PAN-OS 11.1.3-h12",
        "PAN-OS 11.1.3-h11",
        "PAN-OS 11.1.3-h10",
        "PAN-OS 11.1.3-h9",
        "PAN-OS 11.1.3-h8",
        "PAN-OS 11.1.3-h7",
        "PAN-OS 11.1.3-h6",
        "PAN-OS 11.1.3-h5",
        "PAN-OS 11.1.3-h4",
        "PAN-OS 11.1.3-h3",
        "PAN-OS 11.1.3-h2",
        "PAN-OS 11.1.3-h1",
        "PAN-OS 11.1.3",
        "PAN-OS 11.1.2-h18",
        "PAN-OS 11.1.2-h17",
        "PAN-OS 11.1.2-h16",
        "PAN-OS 11.1.2-h15",
        "PAN-OS 11.1.2-h14",
        "PAN-OS 11.1.2-h13",
        "PAN-OS 11.1.2-h12",
        "PAN-OS 11.1.2-h11",
        "PAN-OS 11.1.2-h10",
        "PAN-OS 11.1.2-h9",
        "PAN-OS 11.1.2-h8",
        "PAN-OS 11.1.2-h7",
        "PAN-OS 11.1.2-h6",
        "PAN-OS 11.1.2-h5",
        "PAN-OS 11.1.2-h4",
        "PAN-OS 11.1.2-h3",
        "PAN-OS 11.1.2-h2",
        "PAN-OS 11.1.2-h1",
        "PAN-OS 11.1.2",
        "PAN-OS 11.1.1-h2",
        "PAN-OS 11.1.1-h1",
        "PAN-OS 11.1.1",
        "PAN-OS 11.1.0-h4",
        "PAN-OS 11.1.0-h3",
        "PAN-OS 11.1.0-h2",
        "PAN-OS 11.1.0-h1",
        "PAN-OS 11.1.0"
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
    "assignerShortName": "palo_alto",
    "cveId": "CVE-2025-2182",
    "datePublished": "2025-08-13T17:03:21.617Z",
    "dateReserved": "2025-03-10T17:56:24.875Z",
    "dateUpdated": "2025-08-13T20:32:15.474Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-4229 (GCVE-0-2025-4229)
Vulnerability from
Published
2025-06-13 05:42
Modified
2025-06-13 19:04
Severity ?
6.0 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:D/U:Amber
CWE
  • CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Summary
An information disclosure vulnerability in the SD-WAN feature of Palo Alto Networks PAN-OS® software enables an unauthorized user to view unencrypted data sent from the firewall through the SD-WAN interface. This requires the user to be able to intercept packets sent from the firewall. Cloud NGFW and Prisma® Access are not affected by this vulnerability.
References
Impacted products
Vendor Product Version
Palo Alto Networks Cloud NGFW Patch: All
 Create a notification for this product.
   Palo Alto Networks PAN-OS Version: 11.2.0   < 11.2.7
Version: 11.1.0   < 11.1.10
Version: 10.2.0   < 10.2.17
Version: 10.1.0   < 10.1.14-h16
    cpe:2.3:o:palo_alto_networks:pan-os:11.2.6:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.2.5:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.2.2:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.2.1:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.2.0:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.9:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.8:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.5:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.3:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.2:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.1:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.0:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.16:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.15:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.14:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.12:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.11:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.9:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.8:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.6:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.5:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.3:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.2:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.1:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.0:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h15:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h14:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h13:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h11:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h10:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h9:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h8:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h7:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h6:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h5:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h4:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h3:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h2:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h1:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:-:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.13:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.12:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.11:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.10:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.9:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.8:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.7:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.6:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.5:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.4:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.3:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.2:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.1:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.0:*:*:*:*:*:*:*
 Create a notification for this product.
   Palo Alto Networks Prisma Access Patch: All
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4229",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-13T19:04:35.901390Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-13T19:04:49.865Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Cloud NGFW",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "All",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:o:palo_alto_networks:pan-os:11.2.6:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.2.5:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.2.2:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.2.1:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.2.0:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.9:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.8:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.5:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.3:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.2:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.1:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.0:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.16:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.15:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.14:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.12:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.11:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.9:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.8:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.6:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.5:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.3:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.2:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.1:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.0:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h15:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h14:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h13:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h11:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h10:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h9:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h8:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h7:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h6:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h5:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h4:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h3:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h2:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h1:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:-:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.13:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.12:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.11:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.10:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.9:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.8:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.7:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.6:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.5:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.4:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.3:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.2:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.1:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.0:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "PAN-OS",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "changes": [
                {
                  "at": "11.2.7",
                  "status": "unaffected"
                }
              ],
              "lessThan": "11.2.7",
              "status": "affected",
              "version": "11.2.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "11.1.10",
                  "status": "unaffected"
                }
              ],
              "lessThan": "11.1.10",
              "status": "affected",
              "version": "11.1.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "10.2.17",
                  "status": "unaffected"
                }
              ],
              "lessThan": "10.2.17",
              "status": "affected",
              "version": "10.2.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "10.1.14-h16",
                  "status": "unaffected"
                }
              ],
              "lessThan": "10.1.14-h16",
              "status": "affected",
              "version": "10.1.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Prisma Access",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "All",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eTo be vulnerable to this issue, an SD-WAN Interface Profile must be configured on PAN-OS. The interface must also be configured for Direct Internet Access (DIA). Adding an SD-WAN Interface Profile requires the Advanced SD-WAN License.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eYou can verify whether you configured an SD-WAN Interface Profile by checking for entries in your firewall web interface (Network \u2192 Network Profiles \u2192 SD-WAN Interface Profile).\u003cbr\u003e\u003c/p\u003e\u003cb\u003e\u003c/b\u003e\u003cp\u003eTo verify if you have Direct Internet Access, see our documentation about \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/sd-wan/administration/configure-direct-internet-access\"\u003econfiguring Direct Internet Access\u003c/a\u003e.\u003cbr\u003e\u003c/p\u003e\u003cb\u003e\u003c/b\u003e\u003cp\u003e\u003c/p\u003e"
            }
          ],
          "value": "To be vulnerable to this issue, an SD-WAN Interface Profile must be configured on PAN-OS. The interface must also be configured for Direct Internet Access (DIA). Adding an SD-WAN Interface Profile requires the Advanced SD-WAN License.\n\n\nYou can verify whether you configured an SD-WAN Interface Profile by checking for entries in your firewall web interface (Network \u2192 Network Profiles \u2192 SD-WAN Interface Profile).\n\n\nTo verify if you have Direct Internet Access, see our documentation about  configuring Direct Internet Access https://docs.paloaltonetworks.com/sd-wan/administration/configure-direct-internet-access ."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "MMS Technology"
        }
      ],
      "datePublic": "2025-06-11T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn information disclosure vulnerability in the SD-WAN feature of Palo Alto Networks PAN-OS\u00ae software enables an unauthorized user to view unencrypted data sent from the firewall through the SD-WAN interface. This requires the user to be able to intercept packets sent from the firewall.\u003c/p\u003e\u003cp\u003eCloud NGFW and Prisma\u00ae Access are not affected by this vulnerability.\u003c/p\u003e"
            }
          ],
          "value": "An information disclosure vulnerability in the SD-WAN feature of Palo Alto Networks PAN-OS\u00ae software enables an unauthorized user to view unencrypted data sent from the firewall through the SD-WAN interface. This requires the user to be able to intercept packets sent from the firewall.\n\nCloud NGFW and Prisma\u00ae Access are not affected by this vulnerability."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
            }
          ],
          "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-37",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "USER",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "DIFFUSE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:D/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-497",
              "description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-13T05:42:38.482Z",
        "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
        "shortName": "palo_alto"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.paloaltonetworks.com/CVE-2025-4229"
        }
      ],
      "solutions": [
        {
          "lang": "eng",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003cbr\u003e\u003c/th\u003e\u003cth\u003eMinor Version\u003cbr\u003e\u003c/th\u003e\u003cth\u003eSuggested Solution\u003cbr\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eCloud NGFW All\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\n                                \u003ctd\u003ePAN-OS 11.2\u003cbr\u003e\u003c/td\u003e\n                                \u003ctd\u003e11.2.0 through 11.2.6\u003c/td\u003e\n                                \u003ctd\u003eUpgrade to 11.2.7 or later.\u003c/td\u003e\n                            \u003c/tr\u003e\u003ctr\u003e\n                                \u003ctd\u003ePAN-OS 11.1\u003cbr\u003e\u003c/td\u003e\n                                \u003ctd\u003e11.1.0 through 11.1.9\u003c/td\u003e\n                                \u003ctd\u003eUpgrade to 11.1.10 or later.\u003c/td\u003e\n                            \u003c/tr\u003e\u003ctr\u003e\n                                \u003ctd\u003ePAN-OS 10.2\u003cbr\u003e\u003c/td\u003e\n                                \u003ctd\u003e10.2.0 through 10.2.16\u003c/td\u003e\n                                \u003ctd\u003eUpgrade to 10.2.17 or later.\u003c/td\u003e\n                            \u003c/tr\u003e\u003ctr\u003e\n                                \u003ctd\u003ePAN-OS 10.1\u003cbr\u003e\u003c/td\u003e\n                                \u003ctd\u003e10.1.0 through 10.1.14\u003c/td\u003e\n                                \u003ctd\u003eUpgrade to 10.1.14-h16 or later.\u003c/td\u003e\n                            \u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAll older\u003cbr\u003eunsupported\u003cbr\u003ePAN-OS versions\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003eUpgrade to a supported fixed version.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePrisma Access All\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"
            }
          ],
          "value": "Version\nMinor Version\nSuggested Solution\nCloud NGFW All\nNo action needed.\n                                PAN-OS 11.2\n\n                                11.2.0 through 11.2.6\n                                Upgrade to 11.2.7 or later.\n                            \n                                PAN-OS 11.1\n\n                                11.1.0 through 11.1.9\n                                Upgrade to 11.1.10 or later.\n                            \n                                PAN-OS 10.2\n\n                                10.2.0 through 10.2.16\n                                Upgrade to 10.2.17 or later.\n                            \n                                PAN-OS 10.1\n\n                                10.1.0 through 10.1.14\n                                Upgrade to 10.1.14-h16 or later.\n                            All older\nunsupported\nPAN-OS versions\u00a0Upgrade to a supported fixed version.Prisma Access All\nNo action needed."
        }
      ],
      "source": {
        "defect": [
          "PAN-284744"
        ],
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-06-11T16:00:00.000Z",
          "value": "Initial Publication"
        }
      ],
      "title": "PAN-OS: Traffic Information Disclosure Vulnerability",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIf you are not using the SD-WAN feature of PAN-OS, you can mitigate this issue by disabling the SD-WAN feature. To disable SD-WAN feature, see our documentation about\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/sd-wan/activation-and-onboarding/uninstall-the-sd-wan-plugin\"\u003euninstalling SD-WAN plugin\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eIf you are using the SD-WAN feature but do not need Direct Internet Access, you can mitigate the issue by disabling Direct Internet Access on the SD-WAN Interface Profile by \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/sd-wan/administration/configure-direct-internet-access/backhaul-your-internet-traffic-to-sd-wan-hub\"\u003ebackhauling your internet traffic to SD-WAN hub\u003c/a\u003e.\u003c/p\u003e"
            }
          ],
          "value": "If you are not using the SD-WAN feature of PAN-OS, you can mitigate this issue by disabling the SD-WAN feature. To disable SD-WAN feature, see our documentation about\u00a0 uninstalling SD-WAN plugin https://docs.paloaltonetworks.com/sd-wan/activation-and-onboarding/uninstall-the-sd-wan-plugin .\n\nIf you are using the SD-WAN feature but do not need Direct Internet Access, you can mitigate the issue by disabling Direct Internet Access on the SD-WAN Interface Profile by  backhauling your internet traffic to SD-WAN hub https://docs.paloaltonetworks.com/sd-wan/administration/configure-direct-internet-access/backhaul-your-internet-traffic-to-sd-wan-hub ."
        }
      ],
      "x_affectedList": [
        "PAN-OS 11.2.6",
        "PAN-OS 11.2.5",
        "PAN-OS 11.2.4-h8",
        "PAN-OS 11.2.4-h7",
        "PAN-OS 11.2.4-h6",
        "PAN-OS 11.2.4-h5",
        "PAN-OS 11.2.4-h4",
        "PAN-OS 11.2.4-h3",
        "PAN-OS 11.2.4-h2",
        "PAN-OS 11.2.4-h1",
        "PAN-OS 11.2.4",
        "PAN-OS 11.2.3-h5",
        "PAN-OS 11.2.3-h4",
        "PAN-OS 11.2.3-h3",
        "PAN-OS 11.2.3-h2",
        "PAN-OS 11.2.3-h1",
        "PAN-OS 11.2.3",
        "PAN-OS 11.2.2-h2",
        "PAN-OS 11.2.2-h1",
        "PAN-OS 11.2.1-h1",
        "PAN-OS 11.2.1",
        "PAN-OS 11.2.0-h1",
        "PAN-OS 11.2.0",
        "PAN-OS 11.1.9",
        "PAN-OS 11.1.8",
        "PAN-OS 11.1.6-h10",
        "PAN-OS 11.1.6-h7",
        "PAN-OS 11.1.6-h6",
        "PAN-OS 11.1.6-h4",
        "PAN-OS 11.1.6-h3",
        "PAN-OS 11.1.6-h2",
        "PAN-OS 11.1.6-h1",
        "PAN-OS 11.1.6",
        "PAN-OS 11.1.5-h1",
        "PAN-OS 11.1.5",
        "PAN-OS 11.1.4-h18",
        "PAN-OS 11.1.4-h17",
        "PAN-OS 11.1.4-h15",
        "PAN-OS 11.1.4-h13",
        "PAN-OS 11.1.4-h12",
        "PAN-OS 11.1.4-h11",
        "PAN-OS 11.1.4-h10",
        "PAN-OS 11.1.4-h9",
        "PAN-OS 11.1.4-h8",
        "PAN-OS 11.1.4-h7",
        "PAN-OS 11.1.4-h6",
        "PAN-OS 11.1.4-h5",
        "PAN-OS 11.1.4-h4",
        "PAN-OS 11.1.4-h3",
        "PAN-OS 11.1.4-h2",
        "PAN-OS 11.1.4-h1",
        "PAN-OS 11.1.4",
        "PAN-OS 11.1.3-h13",
        "PAN-OS 11.1.3-h12",
        "PAN-OS 11.1.3-h11",
        "PAN-OS 11.1.3-h10",
        "PAN-OS 11.1.3-h9",
        "PAN-OS 11.1.3-h8",
        "PAN-OS 11.1.3-h7",
        "PAN-OS 11.1.3-h6",
        "PAN-OS 11.1.3-h5",
        "PAN-OS 11.1.3-h4",
        "PAN-OS 11.1.3-h3",
        "PAN-OS 11.1.3-h2",
        "PAN-OS 11.1.3-h1",
        "PAN-OS 11.1.3",
        "PAN-OS 11.1.2-h18",
        "PAN-OS 11.1.2-h17",
        "PAN-OS 11.1.2-h16",
        "PAN-OS 11.1.2-h15",
        "PAN-OS 11.1.2-h14",
        "PAN-OS 11.1.2-h13",
        "PAN-OS 11.1.2-h12",
        "PAN-OS 11.1.2-h11",
        "PAN-OS 11.1.2-h10",
        "PAN-OS 11.1.2-h9",
        "PAN-OS 11.1.2-h8",
        "PAN-OS 11.1.2-h7",
        "PAN-OS 11.1.2-h6",
        "PAN-OS 11.1.2-h5",
        "PAN-OS 11.1.2-h4",
        "PAN-OS 11.1.2-h3",
        "PAN-OS 11.1.2-h2",
        "PAN-OS 11.1.2-h1",
        "PAN-OS 11.1.2",
        "PAN-OS 11.1.1-h2",
        "PAN-OS 11.1.1-h1",
        "PAN-OS 11.1.1",
        "PAN-OS 11.1.0-h4",
        "PAN-OS 11.1.0-h3",
        "PAN-OS 11.1.0-h2",
        "PAN-OS 11.1.0-h1",
        "PAN-OS 11.1.0",
        "PAN-OS 10.2.16",
        "PAN-OS 10.2.15",
        "PAN-OS 10.2.14-h1",
        "PAN-OS 10.2.14",
        "PAN-OS 10.2.13-h10",
        "PAN-OS 10.2.13-h7",
        "PAN-OS 10.2.13-h5",
        "PAN-OS 10.2.13-h4",
        "PAN-OS 10.2.13-h3",
        "PAN-OS 10.2.13-h2",
        "PAN-OS 10.2.13-h1",
        "PAN-OS 10.2.13",
        "PAN-OS 10.2.12-h6",
        "PAN-OS 10.2.12-h5",
        "PAN-OS 10.2.12-h4",
        "PAN-OS 10.2.12-h3",
        "PAN-OS 10.2.12-h2",
        "PAN-OS 10.2.12-h1",
        "PAN-OS 10.2.12",
        "PAN-OS 10.2.11-h13",
        "PAN-OS 10.2.11-h12",
        "PAN-OS 10.2.11-h11",
        "PAN-OS 10.2.11-h10",
        "PAN-OS 10.2.11-h9",
        "PAN-OS 10.2.11-h8",
        "PAN-OS 10.2.11-h7",
        "PAN-OS 10.2.11-h6",
        "PAN-OS 10.2.11-h5",
        "PAN-OS 10.2.11-h4",
        "PAN-OS 10.2.11-h3",
        "PAN-OS 10.2.11-h2",
        "PAN-OS 10.2.11-h1",
        "PAN-OS 10.2.11",
        "PAN-OS 10.2.10-h21",
        "PAN-OS 10.2.10-h18",
        "PAN-OS 10.2.10-h17",
        "PAN-OS 10.2.10-h14",
        "PAN-OS 10.2.10-h13",
        "PAN-OS 10.2.10-h12",
        "PAN-OS 10.2.10-h11",
        "PAN-OS 10.2.10-h10",
        "PAN-OS 10.2.10-h9",
        "PAN-OS 10.2.10-h8",
        "PAN-OS 10.2.10-h7",
        "PAN-OS 10.2.10-h6",
        "PAN-OS 10.2.10-h5",
        "PAN-OS 10.2.10-h4",
        "PAN-OS 10.2.10-h3",
        "PAN-OS 10.2.10-h2",
        "PAN-OS 10.2.10-h1",
        "PAN-OS 10.2.10",
        "PAN-OS 10.2.9-h21",
        "PAN-OS 10.2.9-h20",
        "PAN-OS 10.2.9-h19",
        "PAN-OS 10.2.9-h18",
        "PAN-OS 10.2.9-h17",
        "PAN-OS 10.2.9-h16",
        "PAN-OS 10.2.9-h15",
        "PAN-OS 10.2.9-h14",
        "PAN-OS 10.2.9-h13",
        "PAN-OS 10.2.9-h12",
        "PAN-OS 10.2.9-h11",
        "PAN-OS 10.2.9-h10",
        "PAN-OS 10.2.9-h9",
        "PAN-OS 10.2.9-h8",
        "PAN-OS 10.2.9-h7",
        "PAN-OS 10.2.9-h6",
        "PAN-OS 10.2.9-h5",
        "PAN-OS 10.2.9-h4",
        "PAN-OS 10.2.9-h3",
        "PAN-OS 10.2.9-h2",
        "PAN-OS 10.2.9-h1",
        "PAN-OS 10.2.9",
        "PAN-OS 10.2.8-h21",
        "PAN-OS 10.2.8-h20",
        "PAN-OS 10.2.8-h19",
        "PAN-OS 10.2.8-h18",
        "PAN-OS 10.2.8-h17",
        "PAN-OS 10.2.8-h16",
        "PAN-OS 10.2.8-h15",
        "PAN-OS 10.2.8-h14",
        "PAN-OS 10.2.8-h13",
        "PAN-OS 10.2.8-h12",
        "PAN-OS 10.2.8-h11",
        "PAN-OS 10.2.8-h10",
        "PAN-OS 10.2.8-h9",
        "PAN-OS 10.2.8-h8",
        "PAN-OS 10.2.8-h7",
        "PAN-OS 10.2.8-h6",
        "PAN-OS 10.2.8-h5",
        "PAN-OS 10.2.8-h4",
        "PAN-OS 10.2.8-h3",
        "PAN-OS 10.2.8-h2",
        "PAN-OS 10.2.8-h1",
        "PAN-OS 10.2.8",
        "PAN-OS 10.2.7-h24",
        "PAN-OS 10.2.7-h23",
        "PAN-OS 10.2.7-h22",
        "PAN-OS 10.2.7-h21",
        "PAN-OS 10.2.7-h20",
        "PAN-OS 10.2.7-h19",
        "PAN-OS 10.2.7-h18",
        "PAN-OS 10.2.7-h17",
        "PAN-OS 10.2.7-h16",
        "PAN-OS 10.2.7-h15",
        "PAN-OS 10.2.7-h14",
        "PAN-OS 10.2.7-h13",
        "PAN-OS 10.2.7-h12",
        "PAN-OS 10.2.7-h11",
        "PAN-OS 10.2.7-h10",
        "PAN-OS 10.2.7-h9",
        "PAN-OS 10.2.7-h8",
        "PAN-OS 10.2.7-h7",
        "PAN-OS 10.2.7-h6",
        "PAN-OS 10.2.7-h5",
        "PAN-OS 10.2.7-h4",
        "PAN-OS 10.2.7-h3",
        "PAN-OS 10.2.7-h2",
        "PAN-OS 10.2.7-h1",
        "PAN-OS 10.2.7",
        "PAN-OS 10.2.6-h6",
        "PAN-OS 10.2.6-h5",
        "PAN-OS 10.2.6-h4",
        "PAN-OS 10.2.6-h3",
        "PAN-OS 10.2.6-h2",
        "PAN-OS 10.2.6-h1",
        "PAN-OS 10.2.6",
        "PAN-OS 10.2.5-h9",
        "PAN-OS 10.2.5-h8",
        "PAN-OS 10.2.5-h7",
        "PAN-OS 10.2.5-h6",
        "PAN-OS 10.2.5-h5",
        "PAN-OS 10.2.5-h4",
        "PAN-OS 10.2.5-h3",
        "PAN-OS 10.2.5-h2",
        "PAN-OS 10.2.5-h1",
        "PAN-OS 10.2.5",
        "PAN-OS 10.2.4-h32",
        "PAN-OS 10.2.4-h31",
        "PAN-OS 10.2.4-h30",
        "PAN-OS 10.2.4-h29",
        "PAN-OS 10.2.4-h28",
        "PAN-OS 10.2.4-h27",
        "PAN-OS 10.2.4-h26",
        "PAN-OS 10.2.4-h25",
        "PAN-OS 10.2.4-h24",
        "PAN-OS 10.2.4-h23",
        "PAN-OS 10.2.4-h22",
        "PAN-OS 10.2.4-h21",
        "PAN-OS 10.2.4-h20",
        "PAN-OS 10.2.4-h19",
        "PAN-OS 10.2.4-h18",
        "PAN-OS 10.2.4-h17",
        "PAN-OS 10.2.4-h16",
        "PAN-OS 10.2.4-h15",
        "PAN-OS 10.2.4-h14",
        "PAN-OS 10.2.4-h13",
        "PAN-OS 10.2.4-h12",
        "PAN-OS 10.2.4-h11",
        "PAN-OS 10.2.4-h10",
        "PAN-OS 10.2.4-h9",
        "PAN-OS 10.2.4-h8",
        "PAN-OS 10.2.4-h7",
        "PAN-OS 10.2.4-h6",
        "PAN-OS 10.2.4-h5",
        "PAN-OS 10.2.4-h4",
        "PAN-OS 10.2.4-h3",
        "PAN-OS 10.2.4-h2",
        "PAN-OS 10.2.4-h1",
        "PAN-OS 10.2.4",
        "PAN-OS 10.2.3-h14",
        "PAN-OS 10.2.3-h13",
        "PAN-OS 10.2.3-h12",
        "PAN-OS 10.2.3-h11",
        "PAN-OS 10.2.3-h10",
        "PAN-OS 10.2.3-h9",
        "PAN-OS 10.2.3-h8",
        "PAN-OS 10.2.3-h7",
        "PAN-OS 10.2.3-h6",
        "PAN-OS 10.2.3-h5",
        "PAN-OS 10.2.3-h4",
        "PAN-OS 10.2.3-h3",
        "PAN-OS 10.2.3-h2",
        "PAN-OS 10.2.3-h1",
        "PAN-OS 10.2.3",
        "PAN-OS 10.2.2-h6",
        "PAN-OS 10.2.2-h5",
        "PAN-OS 10.2.2-h4",
        "PAN-OS 10.2.2-h3",
        "PAN-OS 10.2.2-h2",
        "PAN-OS 10.2.2-h1",
        "PAN-OS 10.2.2",
        "PAN-OS 10.2.1-h3",
        "PAN-OS 10.2.1-h2",
        "PAN-OS 10.2.1-h1",
        "PAN-OS 10.2.1",
        "PAN-OS 10.2.0-h4",
        "PAN-OS 10.2.0-h3",
        "PAN-OS 10.2.0-h2",
        "PAN-OS 10.2.0-h1",
        "PAN-OS 10.2.0",
        "PAN-OS 10.1.14-h15",
        "PAN-OS 10.1.14-h14",
        "PAN-OS 10.1.14-h13",
        "PAN-OS 10.1.14-h11",
        "PAN-OS 10.1.14-h10",
        "PAN-OS 10.1.14-h9",
        "PAN-OS 10.1.14-h8",
        "PAN-OS 10.1.14-h7",
        "PAN-OS 10.1.14-h6",
        "PAN-OS 10.1.14-h5",
        "PAN-OS 10.1.14-h4",
        "PAN-OS 10.1.14-h3",
        "PAN-OS 10.1.14-h2",
        "PAN-OS 10.1.14-h1",
        "PAN-OS 10.1.14",
        "PAN-OS 10.1.13-h5",
        "PAN-OS 10.1.13-h4",
        "PAN-OS 10.1.13-h3",
        "PAN-OS 10.1.13-h2",
        "PAN-OS 10.1.13-h1",
        "PAN-OS 10.1.13",
        "PAN-OS 10.1.12-h3",
        "PAN-OS 10.1.12-h2",
        "PAN-OS 10.1.12-h1",
        "PAN-OS 10.1.12",
        "PAN-OS 10.1.11-h10",
        "PAN-OS 10.1.11-h9",
        "PAN-OS 10.1.11-h8",
        "PAN-OS 10.1.11-h7",
        "PAN-OS 10.1.11-h6",
        "PAN-OS 10.1.11-h5",
        "PAN-OS 10.1.11-h4",
        "PAN-OS 10.1.11-h3",
        "PAN-OS 10.1.11-h2",
        "PAN-OS 10.1.11-h1",
        "PAN-OS 10.1.11",
        "PAN-OS 10.1.10-h9",
        "PAN-OS 10.1.10-h8",
        "PAN-OS 10.1.10-h7",
        "PAN-OS 10.1.10-h6",
        "PAN-OS 10.1.10-h5",
        "PAN-OS 10.1.10-h4",
        "PAN-OS 10.1.10-h3",
        "PAN-OS 10.1.10-h2",
        "PAN-OS 10.1.10-h1",
        "PAN-OS 10.1.10",
        "PAN-OS 10.1.9-h14",
        "PAN-OS 10.1.9-h13",
        "PAN-OS 10.1.9-h12",
        "PAN-OS 10.1.9-h11",
        "PAN-OS 10.1.9-h10",
        "PAN-OS 10.1.9-h9",
        "PAN-OS 10.1.9-h8",
        "PAN-OS 10.1.9-h7",
        "PAN-OS 10.1.9-h6",
        "PAN-OS 10.1.9-h5",
        "PAN-OS 10.1.9-h4",
        "PAN-OS 10.1.9-h3",
        "PAN-OS 10.1.9-h2",
        "PAN-OS 10.1.9-h1",
        "PAN-OS 10.1.9",
        "PAN-OS 10.1.8-h8",
        "PAN-OS 10.1.8-h7",
        "PAN-OS 10.1.8-h6",
        "PAN-OS 10.1.8-h5",
        "PAN-OS 10.1.8-h4",
        "PAN-OS 10.1.8-h3",
        "PAN-OS 10.1.8-h2",
        "PAN-OS 10.1.8-h1",
        "PAN-OS 10.1.8",
        "PAN-OS 10.1.7-h1",
        "PAN-OS 10.1.7",
        "PAN-OS 10.1.6-h9",
        "PAN-OS 10.1.6-h8",
        "PAN-OS 10.1.6-h7",
        "PAN-OS 10.1.6-h6",
        "PAN-OS 10.1.6-h5",
        "PAN-OS 10.1.6-h4",
        "PAN-OS 10.1.6-h3",
        "PAN-OS 10.1.6-h2",
        "PAN-OS 10.1.6-h1",
        "PAN-OS 10.1.6",
        "PAN-OS 10.1.5-h4",
        "PAN-OS 10.1.5-h3",
        "PAN-OS 10.1.5-h2",
        "PAN-OS 10.1.5-h1",
        "PAN-OS 10.1.5",
        "PAN-OS 10.1.4-h6",
        "PAN-OS 10.1.4-h5",
        "PAN-OS 10.1.4-h4",
        "PAN-OS 10.1.4-h3",
        "PAN-OS 10.1.4-h2",
        "PAN-OS 10.1.4-h1",
        "PAN-OS 10.1.4",
        "PAN-OS 10.1.3-h4",
        "PAN-OS 10.1.3-h3",
        "PAN-OS 10.1.3-h2",
        "PAN-OS 10.1.3-h1",
        "PAN-OS 10.1.3",
        "PAN-OS 10.1.2",
        "PAN-OS 10.1.1",
        "PAN-OS 10.1.0"
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
    "assignerShortName": "palo_alto",
    "cveId": "CVE-2025-4229",
    "datePublished": "2025-06-13T05:42:38.482Z",
    "dateReserved": "2025-05-02T19:10:42.207Z",
    "dateUpdated": "2025-06-13T19:04:49.865Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-4231 (GCVE-0-2025-4231)
Vulnerability from
Published
2025-06-12 23:27
Modified
2025-06-13 13:32
Severity ?
8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber
7.1 (High) - CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber
CWE
  • CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Summary
A command injection vulnerability in Palo Alto Networks PAN-OS® enables an authenticated administrative user to perform actions as the root user. The attacker must have network access to the management web interface and successfully authenticate to exploit this issue. Cloud NGFW and Prisma Access are not impacted by this vulnerability.
References
Impacted products
Vendor Product Version
Palo Alto Networks Cloud NGFW Patch: All   < 6.3.3
 Create a notification for this product.
   Palo Alto Networks PAN-OS Patch: 11.2.0
Patch: 11.1.0
Version: 11.0.0   < 11.0.3
Version: 10.2.0   < 10.2.8
Version: 10.1.0   <
    cpe:2.3:o:palo_alto_networks:pan-os:11.0.2:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.0.1:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.0.0:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.6:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.5:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.3:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.2:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.1:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.0:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.13:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.12:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.11:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.10:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.9:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.8:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.7:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.6:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.5:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.4:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.3:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.2:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.1:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.0:*:*:*:*:*:*:*
 Create a notification for this product.
   Palo Alto Networks Prisma Access Patch: All
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4231",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-13T03:55:19.943513Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-13T13:32:58.253Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Cloud NGFW",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "changes": [
                {
                  "at": "6.3.3",
                  "status": "unaffected"
                }
              ],
              "lessThan": "6.3.3",
              "status": "unaffected",
              "version": "All",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:o:palo_alto_networks:pan-os:11.0.2:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.0.1:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.0.0:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.6:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.5:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.3:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.2:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.1:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.0:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.13:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.12:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.11:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.10:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.9:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.8:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.7:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.6:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.5:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.4:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.3:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.2:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.1:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.0:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "PAN-OS",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "11.2.0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "11.1.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "11.0.3",
                  "status": "unaffected"
                }
              ],
              "lessThan": "11.0.3",
              "status": "affected",
              "version": "11.0.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "10.2.8",
                  "status": "unaffected"
                }
              ],
              "lessThan": "10.2.8",
              "status": "affected",
              "version": "10.2.0",
              "versionType": "custom"
            },
            {
              "status": "affected",
              "version": "10.1.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Prisma Access",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "All",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe risk is greatest if you allow access to the management web interface from the internet or from any untrusted network either:\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cp\u003eDirectly; or\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eThrough a dataplane interface that includes a management interface profile.\u003c/p\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eYou greatly reduce the risk if you ensure that you allow only trusted internal IP addresses to access the management web interface.\u003c/p\u003e\u003cp\u003eUse the following steps to identify your recently detected devices in our internet scans.\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cp\u003eTo find any assets that require remediation, visit the Assets section of the Customer Support Portal:\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.paloaltonetworks.com/\"\u003ehttps://support.paloaltonetworks.com\u003c/a\u003e\u0026nbsp;and then select Products \u2192 Assets \u2192 All Assets \u2192 Remediation Required).\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eReview the list of your assets that we discovered in our scans to have an internet-facing management interface. We tagged these assets with \u2018PAN-SA-2024-0015\u2019 and a last seen timestamp (in UTC). If you do not see any such assets listed, then our scan did not find any devices associated with your account in the past three days that have an internet-facing management interface.\u003cbr\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ol\u003e\u003cdiv\u003e\u003cp\u003eGlobalProtect\u2122 portals and gateways are not vulnerable to this issue. However, if you configure a management profile on interfaces with GlobalProtect portals or gateways, then you are exposing the firewall to attacks through the management web interface (typically accessible on port 4443).\u003c/p\u003e\u003c/div\u003e\u003cb\u003e\u003cp\u003e\u003c/p\u003e\u003c/b\u003e\u003cp\u003e\u003c/p\u003e"
            }
          ],
          "value": "The risk is greatest if you allow access to the management web interface from the internet or from any untrusted network either:\n\n  *  Directly; or\n\n\n  *  Through a dataplane interface that includes a management interface profile.\n\n\nYou greatly reduce the risk if you ensure that you allow only trusted internal IP addresses to access the management web interface.\n\nUse the following steps to identify your recently detected devices in our internet scans.\n\n  *  To find any assets that require remediation, visit the Assets section of the Customer Support Portal: https://support.paloaltonetworks.com https://support.paloaltonetworks.com/ \u00a0and then select Products \u2192 Assets \u2192 All Assets \u2192 Remediation Required).\n\n\n  *  Review the list of your assets that we discovered in our scans to have an internet-facing management interface. We tagged these assets with \u2018PAN-SA-2024-0015\u2019 and a last seen timestamp (in UTC). If you do not see any such assets listed, then our scan did not find any devices associated with your account in the past three days that have an internet-facing management interface.\n\n\n\nGlobalProtect\u2122 portals and gateways are not vulnerable to this issue. However, if you configure a management profile on interfaces with GlobalProtect portals or gateways, then you are exposing the firewall to attacks through the management web interface (typically accessible on port 4443)."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "spcnvdr"
        }
      ],
      "datePublic": "2025-06-11T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A command injection vulnerability in Palo Alto Networks PAN-OS\u00ae enables an authenticated administrative user to perform actions as the root user.\u003cbr\u003e\u003cbr\u003eThe attacker must have network access to the management web interface and successfully authenticate to exploit this issue.\u003cbr\u003e\u003cbr\u003eCloud NGFW and Prisma Access are not impacted by this vulnerability."
            }
          ],
          "value": "A command injection vulnerability in Palo Alto Networks PAN-OS\u00ae enables an authenticated administrative user to perform actions as the root user.\n\nThe attacker must have network access to the management web interface and successfully authenticate to exploit this issue.\n\nCloud NGFW and Prisma Access are not impacted by this vulnerability."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
            }
          ],
          "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "USER",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "CONCENTRATED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "The risk is highest when you allow access to the management interface from external IP addresses on the internet."
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "USER",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "CONCENTRATED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "You can greatly reduce the risk of exploitation by restricting access to a jump box that is the only system allowed to access the management interface. This will ensure that attacks can succeed only if they obtain privileged access through those specified IP addresses."
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-12T23:27:31.432Z",
        "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
        "shortName": "palo_alto"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.paloaltonetworks.com/CVE-2025-4231"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003cbr\u003e\u003c/th\u003e\u003cth\u003eMinor Version\u003cbr\u003e\u003c/th\u003e\u003cth\u003eSuggested Solution\u003cbr\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 11.2\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 11.1\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\n                                \u003ctd\u003ePAN-OS 11.0*\u003cbr\u003e\u003c/td\u003e\n                                \u003ctd\u003e11.0.0 through 11.0.2\u003c/td\u003e\n                                \u003ctd\u003eUpgrade to 11.0.3 or later.\u003c/td\u003e\n                            \u003c/tr\u003e\u003ctr\u003e\n                                \u003ctd\u003ePAN-OS 10.2\u003cbr\u003e\u003c/td\u003e\n                                \u003ctd\u003e10.2.0 through 10.2.7\u003c/td\u003e\n                                \u003ctd\u003eUpgrade to 10.2.8 or later.\u003c/td\u003e\n                            \u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 10.1\u003c/td\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003eUpgrade to 10.2.8 or 11.0.3 or later.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAll older\u003cbr\u003eunsupported\u003cbr\u003ePAN-OS versions\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003eUpgrade to a supported fixed version.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e\u003cp\u003e*PAN-OS 11.0 has reached EoL. We listed it here for completeness because a patch for PAN-OS 11.0 was released before it reached EoL. If you are still using any vulnerable EoL versions, we strongly recommend that you upgrade to a supported fixed PAN-OS version.\u003c/p\u003e"
            }
          ],
          "value": "Version\nMinor Version\nSuggested Solution\nPAN-OS 11.2\nNo action needed.PAN-OS 11.1\nNo action needed.\n                                PAN-OS 11.0*\n\n                                11.0.0 through 11.0.2\n                                Upgrade to 11.0.3 or later.\n                            \n                                PAN-OS 10.2\n\n                                10.2.0 through 10.2.7\n                                Upgrade to 10.2.8 or later.\n                            PAN-OS 10.1Upgrade to 10.2.8 or 11.0.3 or later.All older\nunsupported\nPAN-OS versions\u00a0Upgrade to a supported fixed version.\n*PAN-OS 11.0 has reached EoL. We listed it here for completeness because a patch for PAN-OS 11.0 was released before it reached EoL. If you are still using any vulnerable EoL versions, we strongly recommend that you upgrade to a supported fixed PAN-OS version."
        }
      ],
      "source": {
        "defect": [
          "PAN-215223"
        ],
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-06-11T16:00:00.000Z",
          "value": "Initial Publication"
        }
      ],
      "title": "PAN-OS: Authenticated Admin Command Injection Vulnerability in the Management Web Interface",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003cb\u003eRecommended mitigation\u003c/b\u003e\u2014The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431\"\u003ecritical deployment guidelines\u003c/a\u003e. Specifically, you should restrict management interface access to only trusted internal IP addresses.\u003c/p\u003e\u003cp\u003eReview more information about how to secure management access to your Palo Alto Networks firewalls in these documents:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003ePalo Alto Networks LIVEcommunity article: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431\"\u003ehttps://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431\u003c/a\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003ePalo Alto Networks official and detailed technical documentation: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices\"\u003ehttps://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices\u003c/a\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "Recommended mitigation\u2014The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our  https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 \n\n\n\n\n  *  Palo Alto Networks official and detailed technical documentation:  https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices"
        }
      ],
      "x_affectedList": [
        "PAN-OS 11.0.2-h5",
        "PAN-OS 11.0.2-h4",
        "PAN-OS 11.0.2-h3",
        "PAN-OS 11.0.2-h2",
        "PAN-OS 11.0.2-h1",
        "PAN-OS 11.0.2",
        "PAN-OS 11.0.1-h5",
        "PAN-OS 11.0.1-h4",
        "PAN-OS 11.0.1-h3",
        "PAN-OS 11.0.1-h2",
        "PAN-OS 11.0.1-h1",
        "PAN-OS 11.0.1",
        "PAN-OS 11.0.0-h4",
        "PAN-OS 11.0.0-h3",
        "PAN-OS 11.0.0-h2",
        "PAN-OS 11.0.0-h1",
        "PAN-OS 11.0.0",
        "PAN-OS 10.2.7-h24",
        "PAN-OS 10.2.7-h23",
        "PAN-OS 10.2.7-h22",
        "PAN-OS 10.2.7-h21",
        "PAN-OS 10.2.7-h20",
        "PAN-OS 10.2.7-h19",
        "PAN-OS 10.2.7-h18",
        "PAN-OS 10.2.7-h17",
        "PAN-OS 10.2.7-h16",
        "PAN-OS 10.2.7-h15",
        "PAN-OS 10.2.7-h14",
        "PAN-OS 10.2.7-h13",
        "PAN-OS 10.2.7-h12",
        "PAN-OS 10.2.7-h11",
        "PAN-OS 10.2.7-h10",
        "PAN-OS 10.2.7-h9",
        "PAN-OS 10.2.7-h8",
        "PAN-OS 10.2.7-h7",
        "PAN-OS 10.2.7-h6",
        "PAN-OS 10.2.7-h5",
        "PAN-OS 10.2.7-h4",
        "PAN-OS 10.2.7-h3",
        "PAN-OS 10.2.7-h2",
        "PAN-OS 10.2.7-h1",
        "PAN-OS 10.2.7",
        "PAN-OS 10.2.6-h6",
        "PAN-OS 10.2.6-h5",
        "PAN-OS 10.2.6-h4",
        "PAN-OS 10.2.6-h3",
        "PAN-OS 10.2.6-h2",
        "PAN-OS 10.2.6-h1",
        "PAN-OS 10.2.6",
        "PAN-OS 10.2.5-h9",
        "PAN-OS 10.2.5-h8",
        "PAN-OS 10.2.5-h7",
        "PAN-OS 10.2.5-h6",
        "PAN-OS 10.2.5-h5",
        "PAN-OS 10.2.5-h4",
        "PAN-OS 10.2.5-h3",
        "PAN-OS 10.2.5-h2",
        "PAN-OS 10.2.5-h1",
        "PAN-OS 10.2.5",
        "PAN-OS 10.2.4-h32",
        "PAN-OS 10.2.4-h31",
        "PAN-OS 10.2.4-h30",
        "PAN-OS 10.2.4-h29",
        "PAN-OS 10.2.4-h28",
        "PAN-OS 10.2.4-h27",
        "PAN-OS 10.2.4-h26",
        "PAN-OS 10.2.4-h25",
        "PAN-OS 10.2.4-h24",
        "PAN-OS 10.2.4-h23",
        "PAN-OS 10.2.4-h22",
        "PAN-OS 10.2.4-h21",
        "PAN-OS 10.2.4-h20",
        "PAN-OS 10.2.4-h19",
        "PAN-OS 10.2.4-h18",
        "PAN-OS 10.2.4-h17",
        "PAN-OS 10.2.4-h16",
        "PAN-OS 10.2.4-h15",
        "PAN-OS 10.2.4-h14",
        "PAN-OS 10.2.4-h13",
        "PAN-OS 10.2.4-h12",
        "PAN-OS 10.2.4-h11",
        "PAN-OS 10.2.4-h10",
        "PAN-OS 10.2.4-h9",
        "PAN-OS 10.2.4-h8",
        "PAN-OS 10.2.4-h7",
        "PAN-OS 10.2.4-h6",
        "PAN-OS 10.2.4-h5",
        "PAN-OS 10.2.4-h4",
        "PAN-OS 10.2.4-h3",
        "PAN-OS 10.2.4-h2",
        "PAN-OS 10.2.4-h1",
        "PAN-OS 10.2.4",
        "PAN-OS 10.2.3-h14",
        "PAN-OS 10.2.3-h13",
        "PAN-OS 10.2.3-h12",
        "PAN-OS 10.2.3-h11",
        "PAN-OS 10.2.3-h10",
        "PAN-OS 10.2.3-h9",
        "PAN-OS 10.2.3-h8",
        "PAN-OS 10.2.3-h7",
        "PAN-OS 10.2.3-h6",
        "PAN-OS 10.2.3-h5",
        "PAN-OS 10.2.3-h4",
        "PAN-OS 10.2.3-h3",
        "PAN-OS 10.2.3-h2",
        "PAN-OS 10.2.3-h1",
        "PAN-OS 10.2.3",
        "PAN-OS 10.2.2-h6",
        "PAN-OS 10.2.2-h5",
        "PAN-OS 10.2.2-h4",
        "PAN-OS 10.2.2-h3",
        "PAN-OS 10.2.2-h2",
        "PAN-OS 10.2.2-h1",
        "PAN-OS 10.2.2",
        "PAN-OS 10.2.1-h3",
        "PAN-OS 10.2.1-h2",
        "PAN-OS 10.2.1-h1",
        "PAN-OS 10.2.1",
        "PAN-OS 10.2.0-h4",
        "PAN-OS 10.2.0-h3",
        "PAN-OS 10.2.0-h2",
        "PAN-OS 10.2.0-h1",
        "PAN-OS 10.2.0",
        "PAN-OS 10.1.14-h14",
        "PAN-OS 10.1.14-h13",
        "PAN-OS 10.1.14-h11",
        "PAN-OS 10.1.14-h10",
        "PAN-OS 10.1.14-h9",
        "PAN-OS 10.1.14-h8",
        "PAN-OS 10.1.14-h7",
        "PAN-OS 10.1.14-h6",
        "PAN-OS 10.1.14-h5",
        "PAN-OS 10.1.14-h4",
        "PAN-OS 10.1.14-h3",
        "PAN-OS 10.1.14-h2",
        "PAN-OS 10.1.14-h1",
        "PAN-OS 10.1.14",
        "PAN-OS 10.1.13-h5",
        "PAN-OS 10.1.13-h4",
        "PAN-OS 10.1.13-h3",
        "PAN-OS 10.1.13-h2",
        "PAN-OS 10.1.13-h1",
        "PAN-OS 10.1.13",
        "PAN-OS 10.1.12-h3",
        "PAN-OS 10.1.12-h2",
        "PAN-OS 10.1.12-h1",
        "PAN-OS 10.1.12",
        "PAN-OS 10.1.11-h10",
        "PAN-OS 10.1.11-h9",
        "PAN-OS 10.1.11-h8",
        "PAN-OS 10.1.11-h7",
        "PAN-OS 10.1.11-h6",
        "PAN-OS 10.1.11-h5",
        "PAN-OS 10.1.11-h4",
        "PAN-OS 10.1.11-h3",
        "PAN-OS 10.1.11-h2",
        "PAN-OS 10.1.11-h1",
        "PAN-OS 10.1.11",
        "PAN-OS 10.1.10-h9",
        "PAN-OS 10.1.10-h8",
        "PAN-OS 10.1.10-h7",
        "PAN-OS 10.1.10-h6",
        "PAN-OS 10.1.10-h5",
        "PAN-OS 10.1.10-h4",
        "PAN-OS 10.1.10-h3",
        "PAN-OS 10.1.10-h2",
        "PAN-OS 10.1.10-h1",
        "PAN-OS 10.1.10",
        "PAN-OS 10.1.9-h14",
        "PAN-OS 10.1.9-h13",
        "PAN-OS 10.1.9-h12",
        "PAN-OS 10.1.9-h11",
        "PAN-OS 10.1.9-h10",
        "PAN-OS 10.1.9-h9",
        "PAN-OS 10.1.9-h8",
        "PAN-OS 10.1.9-h7",
        "PAN-OS 10.1.9-h6",
        "PAN-OS 10.1.9-h5",
        "PAN-OS 10.1.9-h4",
        "PAN-OS 10.1.9-h3",
        "PAN-OS 10.1.9-h2",
        "PAN-OS 10.1.9-h1",
        "PAN-OS 10.1.9",
        "PAN-OS 10.1.8-h8",
        "PAN-OS 10.1.8-h7",
        "PAN-OS 10.1.8-h6",
        "PAN-OS 10.1.8-h5",
        "PAN-OS 10.1.8-h4",
        "PAN-OS 10.1.8-h3",
        "PAN-OS 10.1.8-h2",
        "PAN-OS 10.1.8-h1",
        "PAN-OS 10.1.8",
        "PAN-OS 10.1.7-h1",
        "PAN-OS 10.1.7",
        "PAN-OS 10.1.6-h9",
        "PAN-OS 10.1.6-h8",
        "PAN-OS 10.1.6-h7",
        "PAN-OS 10.1.6-h6",
        "PAN-OS 10.1.6-h5",
        "PAN-OS 10.1.6-h4",
        "PAN-OS 10.1.6-h3",
        "PAN-OS 10.1.6-h2",
        "PAN-OS 10.1.6-h1",
        "PAN-OS 10.1.6",
        "PAN-OS 10.1.5-h4",
        "PAN-OS 10.1.5-h3",
        "PAN-OS 10.1.5-h2",
        "PAN-OS 10.1.5-h1",
        "PAN-OS 10.1.5",
        "PAN-OS 10.1.4-h6",
        "PAN-OS 10.1.4-h5",
        "PAN-OS 10.1.4-h4",
        "PAN-OS 10.1.4-h3",
        "PAN-OS 10.1.4-h2",
        "PAN-OS 10.1.4-h1",
        "PAN-OS 10.1.4",
        "PAN-OS 10.1.3-h4",
        "PAN-OS 10.1.3-h3",
        "PAN-OS 10.1.3-h2",
        "PAN-OS 10.1.3-h1",
        "PAN-OS 10.1.3",
        "PAN-OS 10.1.2",
        "PAN-OS 10.1.1",
        "PAN-OS 10.1.0"
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
    "assignerShortName": "palo_alto",
    "cveId": "CVE-2025-4231",
    "datePublished": "2025-06-12T23:27:31.432Z",
    "dateReserved": "2025-05-02T19:10:44.240Z",
    "dateUpdated": "2025-06-13T13:32:58.253Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-4230 (GCVE-0-2025-4230)
Vulnerability from
Published
2025-06-12 23:30
Modified
2025-06-13 13:32
Severity ?
8.4 (High) - CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/R:U/V:D/U:Amber
CWE
  • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Summary
A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. To be able to exploit this issue, the user must have access to the PAN-OS CLI. The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators. Cloud NGFW and Prisma® Access are not affected by this vulnerability.
References
Impacted products
Vendor Product Version
Palo Alto Networks Cloud NGFW Patch: All   < 6.3.3
 Create a notification for this product.
   Palo Alto Networks PAN-OS Version: 11.2.0   < 11.2.6
Version: 11.1.0   < 11.1.10
Version: 10.2.0   < 10.2.14
Version: 10.1.0   < 10.1.14-h15
    cpe:2.3:o:palo_alto_networks:pan-os:11.2.5:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.2.2:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.2.1:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.2.0:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.9:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.8:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.5:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.3:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.2:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.1:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:11.1.0:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.12:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.11:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.9:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.8:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.6:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.5:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.3:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.2:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.1:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.2.0:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h14:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h13:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h11:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h10:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h9:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h8:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h7:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h6:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h5:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h4:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h3:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h2:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h1:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:-:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.13:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.12:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.11:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.10:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.9:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.8:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.7:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.6:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.5:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.4:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.3:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.2:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.1:*:*:*:*:*:*:*
    cpe:2.3:o:palo_alto_networks:pan-os:10.1.0:*:*:*:*:*:*:*
 Create a notification for this product.
   Palo Alto Networks Prisma Access Patch: All
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4230",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-13T03:55:21.285455Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-13T13:32:41.271Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Cloud NGFW",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "changes": [
                {
                  "at": "6.3.3",
                  "status": "unaffected"
                }
              ],
              "lessThan": "6.3.3",
              "status": "unaffected",
              "version": "All",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:o:palo_alto_networks:pan-os:11.2.5:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.2.2:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.2.1:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.2.0:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.9:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.8:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.5:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.3:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.2:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.1:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:11.1.0:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.12:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.11:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.9:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.8:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.6:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.5:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.4:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.3:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.2:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.1:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.2.0:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h14:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h13:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h11:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h10:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h9:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h8:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h7:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h6:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h5:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h4:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h3:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h2:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:h1:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.14:-:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.13:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.12:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.11:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.10:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.9:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.8:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.7:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.6:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.5:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.4:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.3:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.2:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.1:*:*:*:*:*:*:*",
            "cpe:2.3:o:palo_alto_networks:pan-os:10.1.0:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "PAN-OS",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "changes": [
                {
                  "at": "11.2.6",
                  "status": "unaffected"
                }
              ],
              "lessThan": "11.2.6",
              "status": "affected",
              "version": "11.2.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "11.1.10",
                  "status": "unaffected"
                }
              ],
              "lessThan": "11.1.10",
              "status": "affected",
              "version": "11.1.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "10.2.14",
                  "status": "unaffected"
                }
              ],
              "lessThan": "10.2.14",
              "status": "affected",
              "version": "10.2.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "10.1.14-h15",
                  "status": "unaffected"
                }
              ],
              "lessThan": "10.1.14-h15",
              "status": "affected",
              "version": "10.1.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Prisma Access",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "All",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "No special configuration is required to be affected by this issue."
            }
          ],
          "value": "No special configuration is required to be affected by this issue."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Visa Inc."
        }
      ],
      "datePublic": "2025-06-11T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA command injection vulnerability in Palo Alto Networks PAN-OS\u00ae software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. To be able to exploit this issue, the user must have access to the PAN-OS CLI.\u003c/p\u003eThe security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators. \u003cb\u003e\u003cbr\u003e\u003cbr\u003e\u003c/b\u003eCloud NGFW and Prisma\u00ae Access are not affected by this vulnerability."
            }
          ],
          "value": "A command injection vulnerability in Palo Alto Networks PAN-OS\u00ae software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. To be able to exploit this issue, the user must have access to the PAN-OS CLI.\n\nThe security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators. \n\nCloud NGFW and Prisma\u00ae Access are not affected by this vulnerability."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
            }
          ],
          "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-248",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-248 Command Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "USER",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "DIFFUSE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/R:U/V:D/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-12T23:30:15.781Z",
        "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
        "shortName": "palo_alto"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.paloaltonetworks.com/CVE-2025-4230"
        }
      ],
      "solutions": [
        {
          "lang": "eng",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003cbr\u003e\u003c/th\u003e\u003cth\u003eMinor Version\u003cbr\u003e\u003c/th\u003e\u003cth\u003eSuggested Solution\u003cbr\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eCloud NGFW All\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\n                                \u003ctd\u003ePAN-OS 11.2\u003cbr\u003e\u003c/td\u003e\n                                \u003ctd\u003e11.2.0 through 11.2.5\u003c/td\u003e\n                                \u003ctd\u003eUpgrade to 11.2.6 or later.\u003c/td\u003e\n                            \u003c/tr\u003e\u003ctr\u003e\n                                \u003ctd\u003ePAN-OS 11.1\u003cbr\u003e\u003c/td\u003e\n                                \u003ctd\u003e11.1.0 through 11.1.9\u003c/td\u003e\n                                \u003ctd\u003eUpgrade to 11.1.10 or later.\u003c/td\u003e\n                            \u003c/tr\u003e\u003ctr\u003e\n                                \u003ctd\u003ePAN-OS 10.2\u003cbr\u003e\u003c/td\u003e\n                                \u003ctd\u003e10.2.0 through 10.2.13\u003c/td\u003e\n                                \u003ctd\u003eUpgrade to 10.2.14 or later.\u003c/td\u003e\n                            \u003c/tr\u003e\u003ctr\u003e\n                                \u003ctd\u003ePAN-OS 10.1\u003cbr\u003e\u003c/td\u003e\n                                \u003ctd\u003e10.1.0 through 10.1.14\u003c/td\u003e\n                                \u003ctd\u003eUpgrade to 10.1.14-h15 or later.\u003c/td\u003e\n                            \u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAll older\u003cbr\u003eunsupported\u003cbr\u003ePAN-OS versions\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003eUpgrade to a supported fixed version.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePrisma Access All\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"
            }
          ],
          "value": "Version\nMinor Version\nSuggested Solution\nCloud NGFW All\nNo action needed.\n                                PAN-OS 11.2\n\n                                11.2.0 through 11.2.5\n                                Upgrade to 11.2.6 or later.\n                            \n                                PAN-OS 11.1\n\n                                11.1.0 through 11.1.9\n                                Upgrade to 11.1.10 or later.\n                            \n                                PAN-OS 10.2\n\n                                10.2.0 through 10.2.13\n                                Upgrade to 10.2.14 or later.\n                            \n                                PAN-OS 10.1\n\n                                10.1.0 through 10.1.14\n                                Upgrade to 10.1.14-h15 or later.\n                            All older\nunsupported\nPAN-OS versions\u00a0Upgrade to a supported fixed version.Prisma Access All\nNo action needed."
        }
      ],
      "source": {
        "defect": [
          "PAN-271215"
        ],
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-06-11T16:00:00.000Z",
          "value": "Initial Publication"
        }
      ],
      "title": "PAN-OS: Authenticated Admin Command Injection Vulnerability Through CLI",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "No workaround or mitigation is available."
            }
          ],
          "value": "No workaround or mitigation is available."
        }
      ],
      "x_affectedList": [
        "PAN-OS 11.2.5",
        "PAN-OS 11.2.4-h8",
        "PAN-OS 11.2.4-h7",
        "PAN-OS 11.2.4-h6",
        "PAN-OS 11.2.4-h5",
        "PAN-OS 11.2.4-h4",
        "PAN-OS 11.2.4-h3",
        "PAN-OS 11.2.4-h2",
        "PAN-OS 11.2.4-h1",
        "PAN-OS 11.2.4",
        "PAN-OS 11.2.3-h5",
        "PAN-OS 11.2.3-h4",
        "PAN-OS 11.2.3-h3",
        "PAN-OS 11.2.3-h2",
        "PAN-OS 11.2.3-h1",
        "PAN-OS 11.2.3",
        "PAN-OS 11.2.2-h2",
        "PAN-OS 11.2.2-h1",
        "PAN-OS 11.2.1-h1",
        "PAN-OS 11.2.1",
        "PAN-OS 11.2.0-h1",
        "PAN-OS 11.2.0",
        "PAN-OS 11.1.9",
        "PAN-OS 11.1.8",
        "PAN-OS 11.1.6-h10",
        "PAN-OS 11.1.6-h7",
        "PAN-OS 11.1.6-h6",
        "PAN-OS 11.1.6-h4",
        "PAN-OS 11.1.6-h3",
        "PAN-OS 11.1.6-h2",
        "PAN-OS 11.1.6-h1",
        "PAN-OS 11.1.6",
        "PAN-OS 11.1.5-h1",
        "PAN-OS 11.1.5",
        "PAN-OS 11.1.4-h18",
        "PAN-OS 11.1.4-h17",
        "PAN-OS 11.1.4-h15",
        "PAN-OS 11.1.4-h13",
        "PAN-OS 11.1.4-h12",
        "PAN-OS 11.1.4-h11",
        "PAN-OS 11.1.4-h10",
        "PAN-OS 11.1.4-h9",
        "PAN-OS 11.1.4-h8",
        "PAN-OS 11.1.4-h7",
        "PAN-OS 11.1.4-h6",
        "PAN-OS 11.1.4-h5",
        "PAN-OS 11.1.4-h4",
        "PAN-OS 11.1.4-h3",
        "PAN-OS 11.1.4-h2",
        "PAN-OS 11.1.4-h1",
        "PAN-OS 11.1.4",
        "PAN-OS 11.1.3-h13",
        "PAN-OS 11.1.3-h12",
        "PAN-OS 11.1.3-h11",
        "PAN-OS 11.1.3-h10",
        "PAN-OS 11.1.3-h9",
        "PAN-OS 11.1.3-h8",
        "PAN-OS 11.1.3-h7",
        "PAN-OS 11.1.3-h6",
        "PAN-OS 11.1.3-h5",
        "PAN-OS 11.1.3-h4",
        "PAN-OS 11.1.3-h3",
        "PAN-OS 11.1.3-h2",
        "PAN-OS 11.1.3-h1",
        "PAN-OS 11.1.3",
        "PAN-OS 11.1.2-h18",
        "PAN-OS 11.1.2-h17",
        "PAN-OS 11.1.2-h16",
        "PAN-OS 11.1.2-h15",
        "PAN-OS 11.1.2-h14",
        "PAN-OS 11.1.2-h13",
        "PAN-OS 11.1.2-h12",
        "PAN-OS 11.1.2-h11",
        "PAN-OS 11.1.2-h10",
        "PAN-OS 11.1.2-h9",
        "PAN-OS 11.1.2-h8",
        "PAN-OS 11.1.2-h7",
        "PAN-OS 11.1.2-h6",
        "PAN-OS 11.1.2-h5",
        "PAN-OS 11.1.2-h4",
        "PAN-OS 11.1.2-h3",
        "PAN-OS 11.1.2-h2",
        "PAN-OS 11.1.2-h1",
        "PAN-OS 11.1.2",
        "PAN-OS 11.1.1-h2",
        "PAN-OS 11.1.1-h1",
        "PAN-OS 11.1.1",
        "PAN-OS 11.1.0-h4",
        "PAN-OS 11.1.0-h3",
        "PAN-OS 11.1.0-h2",
        "PAN-OS 11.1.0-h1",
        "PAN-OS 11.1.0",
        "PAN-OS 10.2.11-h12",
        "PAN-OS 10.2.11-h11",
        "PAN-OS 10.2.11-h10",
        "PAN-OS 10.2.11-h9",
        "PAN-OS 10.2.11-h8",
        "PAN-OS 10.2.11-h7",
        "PAN-OS 10.2.11-h6",
        "PAN-OS 10.2.11-h5",
        "PAN-OS 10.2.11-h4",
        "PAN-OS 10.2.11-h3",
        "PAN-OS 10.2.11-h2",
        "PAN-OS 10.2.11-h1",
        "PAN-OS 10.2.11",
        "PAN-OS 10.2.10-h21",
        "PAN-OS 10.2.10-h18",
        "PAN-OS 10.2.10-h17",
        "PAN-OS 10.2.10-h14",
        "PAN-OS 10.2.10-h13",
        "PAN-OS 10.2.10-h12",
        "PAN-OS 10.2.10-h11",
        "PAN-OS 10.2.10-h10",
        "PAN-OS 10.2.10-h9",
        "PAN-OS 10.2.10-h8",
        "PAN-OS 10.2.10-h7",
        "PAN-OS 10.2.10-h6",
        "PAN-OS 10.2.10-h5",
        "PAN-OS 10.2.10-h4",
        "PAN-OS 10.2.10-h3",
        "PAN-OS 10.2.10-h2",
        "PAN-OS 10.2.10-h1",
        "PAN-OS 10.2.10",
        "PAN-OS 10.2.9-h21",
        "PAN-OS 10.2.9-h20",
        "PAN-OS 10.2.9-h19",
        "PAN-OS 10.2.9-h18",
        "PAN-OS 10.2.9-h17",
        "PAN-OS 10.2.9-h16",
        "PAN-OS 10.2.9-h15",
        "PAN-OS 10.2.9-h14",
        "PAN-OS 10.2.9-h13",
        "PAN-OS 10.2.9-h12",
        "PAN-OS 10.2.9-h11",
        "PAN-OS 10.2.9-h10",
        "PAN-OS 10.2.9-h9",
        "PAN-OS 10.2.9-h8",
        "PAN-OS 10.2.9-h7",
        "PAN-OS 10.2.9-h6",
        "PAN-OS 10.2.9-h5",
        "PAN-OS 10.2.9-h4",
        "PAN-OS 10.2.9-h3",
        "PAN-OS 10.2.9-h2",
        "PAN-OS 10.2.9-h1",
        "PAN-OS 10.2.9",
        "PAN-OS 10.2.8-h21",
        "PAN-OS 10.2.8-h20",
        "PAN-OS 10.2.8-h19",
        "PAN-OS 10.2.8-h18",
        "PAN-OS 10.2.8-h17",
        "PAN-OS 10.2.8-h16",
        "PAN-OS 10.2.8-h15",
        "PAN-OS 10.2.8-h14",
        "PAN-OS 10.2.8-h13",
        "PAN-OS 10.2.8-h12",
        "PAN-OS 10.2.8-h11",
        "PAN-OS 10.2.8-h10",
        "PAN-OS 10.2.8-h9",
        "PAN-OS 10.2.8-h8",
        "PAN-OS 10.2.8-h7",
        "PAN-OS 10.2.8-h6",
        "PAN-OS 10.2.8-h5",
        "PAN-OS 10.2.8-h4",
        "PAN-OS 10.2.8-h3",
        "PAN-OS 10.2.8-h2",
        "PAN-OS 10.2.8-h1",
        "PAN-OS 10.2.8",
        "PAN-OS 10.2.7-h24",
        "PAN-OS 10.2.7-h23",
        "PAN-OS 10.2.7-h22",
        "PAN-OS 10.2.7-h21",
        "PAN-OS 10.2.7-h20",
        "PAN-OS 10.2.7-h19",
        "PAN-OS 10.2.7-h18",
        "PAN-OS 10.2.7-h17",
        "PAN-OS 10.2.7-h16",
        "PAN-OS 10.2.7-h15",
        "PAN-OS 10.2.7-h14",
        "PAN-OS 10.2.7-h13",
        "PAN-OS 10.2.7-h12",
        "PAN-OS 10.2.7-h11",
        "PAN-OS 10.2.7-h10",
        "PAN-OS 10.2.7-h9",
        "PAN-OS 10.2.7-h8",
        "PAN-OS 10.2.7-h7",
        "PAN-OS 10.2.7-h6",
        "PAN-OS 10.2.7-h5",
        "PAN-OS 10.2.7-h4",
        "PAN-OS 10.2.7-h3",
        "PAN-OS 10.2.7-h2",
        "PAN-OS 10.2.7-h1",
        "PAN-OS 10.2.7",
        "PAN-OS 10.2.6-h6",
        "PAN-OS 10.2.6-h5",
        "PAN-OS 10.2.6-h4",
        "PAN-OS 10.2.6-h3",
        "PAN-OS 10.2.6-h2",
        "PAN-OS 10.2.6-h1",
        "PAN-OS 10.2.6",
        "PAN-OS 10.2.5-h9",
        "PAN-OS 10.2.5-h8",
        "PAN-OS 10.2.5-h7",
        "PAN-OS 10.2.5-h6",
        "PAN-OS 10.2.5-h5",
        "PAN-OS 10.2.5-h4",
        "PAN-OS 10.2.5-h3",
        "PAN-OS 10.2.5-h2",
        "PAN-OS 10.2.5-h1",
        "PAN-OS 10.2.5",
        "PAN-OS 10.2.4-h32",
        "PAN-OS 10.2.4-h31",
        "PAN-OS 10.2.4-h30",
        "PAN-OS 10.2.4-h29",
        "PAN-OS 10.2.4-h28",
        "PAN-OS 10.2.4-h27",
        "PAN-OS 10.2.4-h26",
        "PAN-OS 10.2.4-h25",
        "PAN-OS 10.2.4-h24",
        "PAN-OS 10.2.4-h23",
        "PAN-OS 10.2.4-h22",
        "PAN-OS 10.2.4-h21",
        "PAN-OS 10.2.4-h20",
        "PAN-OS 10.2.4-h19",
        "PAN-OS 10.2.4-h18",
        "PAN-OS 10.2.4-h17",
        "PAN-OS 10.2.4-h16",
        "PAN-OS 10.2.4-h15",
        "PAN-OS 10.2.4-h14",
        "PAN-OS 10.2.4-h13",
        "PAN-OS 10.2.4-h12",
        "PAN-OS 10.2.4-h11",
        "PAN-OS 10.2.4-h10",
        "PAN-OS 10.2.4-h9",
        "PAN-OS 10.2.4-h8",
        "PAN-OS 10.2.4-h7",
        "PAN-OS 10.2.4-h6",
        "PAN-OS 10.2.4-h5",
        "PAN-OS 10.2.4-h4",
        "PAN-OS 10.2.4-h3",
        "PAN-OS 10.2.4-h2",
        "PAN-OS 10.2.4-h1",
        "PAN-OS 10.2.4",
        "PAN-OS 10.2.3-h14",
        "PAN-OS 10.2.3-h13",
        "PAN-OS 10.2.3-h12",
        "PAN-OS 10.2.3-h11",
        "PAN-OS 10.2.3-h10",
        "PAN-OS 10.2.3-h9",
        "PAN-OS 10.2.3-h8",
        "PAN-OS 10.2.3-h7",
        "PAN-OS 10.2.3-h6",
        "PAN-OS 10.2.3-h5",
        "PAN-OS 10.2.3-h4",
        "PAN-OS 10.2.3-h3",
        "PAN-OS 10.2.3-h2",
        "PAN-OS 10.2.3-h1",
        "PAN-OS 10.2.3",
        "PAN-OS 10.2.2-h6",
        "PAN-OS 10.2.2-h5",
        "PAN-OS 10.2.2-h4",
        "PAN-OS 10.2.2-h3",
        "PAN-OS 10.2.2-h2",
        "PAN-OS 10.2.2-h1",
        "PAN-OS 10.2.2",
        "PAN-OS 10.2.1-h3",
        "PAN-OS 10.2.1-h2",
        "PAN-OS 10.2.1-h1",
        "PAN-OS 10.2.1",
        "PAN-OS 10.2.0-h4",
        "PAN-OS 10.2.0-h3",
        "PAN-OS 10.2.0-h2",
        "PAN-OS 10.2.0-h1",
        "PAN-OS 10.2.0",
        "PAN-OS 10.1.14-h14",
        "PAN-OS 10.1.14-h13",
        "PAN-OS 10.1.14-h11",
        "PAN-OS 10.1.14-h10",
        "PAN-OS 10.1.14-h9",
        "PAN-OS 10.1.14-h8",
        "PAN-OS 10.1.14-h7",
        "PAN-OS 10.1.14-h6",
        "PAN-OS 10.1.14-h5",
        "PAN-OS 10.1.14-h4",
        "PAN-OS 10.1.14-h3",
        "PAN-OS 10.1.14-h2",
        "PAN-OS 10.1.14-h1",
        "PAN-OS 10.1.14",
        "PAN-OS 10.1.13-h5",
        "PAN-OS 10.1.13-h4",
        "PAN-OS 10.1.13-h3",
        "PAN-OS 10.1.13-h2",
        "PAN-OS 10.1.13-h1",
        "PAN-OS 10.1.13",
        "PAN-OS 10.1.12-h3",
        "PAN-OS 10.1.12-h2",
        "PAN-OS 10.1.12-h1",
        "PAN-OS 10.1.12",
        "PAN-OS 10.1.11-h10",
        "PAN-OS 10.1.11-h9",
        "PAN-OS 10.1.11-h8",
        "PAN-OS 10.1.11-h7",
        "PAN-OS 10.1.11-h6",
        "PAN-OS 10.1.11-h5",
        "PAN-OS 10.1.11-h4",
        "PAN-OS 10.1.11-h3",
        "PAN-OS 10.1.11-h2",
        "PAN-OS 10.1.11-h1",
        "PAN-OS 10.1.11",
        "PAN-OS 10.1.10-h9",
        "PAN-OS 10.1.10-h8",
        "PAN-OS 10.1.10-h7",
        "PAN-OS 10.1.10-h6",
        "PAN-OS 10.1.10-h5",
        "PAN-OS 10.1.10-h4",
        "PAN-OS 10.1.10-h3",
        "PAN-OS 10.1.10-h2",
        "PAN-OS 10.1.10-h1",
        "PAN-OS 10.1.10",
        "PAN-OS 10.1.9-h14",
        "PAN-OS 10.1.9-h13",
        "PAN-OS 10.1.9-h12",
        "PAN-OS 10.1.9-h11",
        "PAN-OS 10.1.9-h10",
        "PAN-OS 10.1.9-h9",
        "PAN-OS 10.1.9-h8",
        "PAN-OS 10.1.9-h7",
        "PAN-OS 10.1.9-h6",
        "PAN-OS 10.1.9-h5",
        "PAN-OS 10.1.9-h4",
        "PAN-OS 10.1.9-h3",
        "PAN-OS 10.1.9-h2",
        "PAN-OS 10.1.9-h1",
        "PAN-OS 10.1.9",
        "PAN-OS 10.1.8-h8",
        "PAN-OS 10.1.8-h7",
        "PAN-OS 10.1.8-h6",
        "PAN-OS 10.1.8-h5",
        "PAN-OS 10.1.8-h4",
        "PAN-OS 10.1.8-h3",
        "PAN-OS 10.1.8-h2",
        "PAN-OS 10.1.8-h1",
        "PAN-OS 10.1.8",
        "PAN-OS 10.1.7-h1",
        "PAN-OS 10.1.7",
        "PAN-OS 10.1.6-h9",
        "PAN-OS 10.1.6-h8",
        "PAN-OS 10.1.6-h7",
        "PAN-OS 10.1.6-h6",
        "PAN-OS 10.1.6-h5",
        "PAN-OS 10.1.6-h4",
        "PAN-OS 10.1.6-h3",
        "PAN-OS 10.1.6-h2",
        "PAN-OS 10.1.6-h1",
        "PAN-OS 10.1.6",
        "PAN-OS 10.1.5-h4",
        "PAN-OS 10.1.5-h3",
        "PAN-OS 10.1.5-h2",
        "PAN-OS 10.1.5-h1",
        "PAN-OS 10.1.5",
        "PAN-OS 10.1.4-h6",
        "PAN-OS 10.1.4-h5",
        "PAN-OS 10.1.4-h4",
        "PAN-OS 10.1.4-h3",
        "PAN-OS 10.1.4-h2",
        "PAN-OS 10.1.4-h1",
        "PAN-OS 10.1.4",
        "PAN-OS 10.1.3-h4",
        "PAN-OS 10.1.3-h3",
        "PAN-OS 10.1.3-h2",
        "PAN-OS 10.1.3-h1",
        "PAN-OS 10.1.3",
        "PAN-OS 10.1.2",
        "PAN-OS 10.1.1",
        "PAN-OS 10.1.0"
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
    "assignerShortName": "palo_alto",
    "cveId": "CVE-2025-4230",
    "datePublished": "2025-06-12T23:30:15.781Z",
    "dateReserved": "2025-05-02T19:10:43.398Z",
    "dateUpdated": "2025-06-13T13:32:41.271Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-0030 (GCVE-0-2022-0030)
Vulnerability from
Published
2022-10-12 16:30
Modified
2025-05-15 14:00
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-290 - Authentication Bypass by Spoofing
Summary
An authentication bypass vulnerability in the Palo Alto Networks PAN-OS 8.1 web interface allows a network-based attacker with specific knowledge of the target firewall or Panorama appliance to impersonate an existing PAN-OS administrator and perform privileged actions.
References
Impacted products
Vendor Product Version
Palo Alto Networks PAN-OS Version: 8.1   < 8.1.24
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:18:41.402Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.paloaltonetworks.com/CVE-2022-0030"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-0030",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-15T13:59:44.889716Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-15T14:00:04.162Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "PAN-OS",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "9.0 All"
            },
            {
              "status": "unaffected",
              "version": "9.1 All"
            },
            {
              "status": "unaffected",
              "version": "10.1 All"
            },
            {
              "status": "unaffected",
              "version": "10.2 All"
            },
            {
              "status": "unaffected",
              "version": "10.0 All"
            },
            {
              "changes": [
                {
                  "at": "8.1.24",
                  "status": "unaffected"
                }
              ],
              "lessThan": "8.1.24",
              "status": "affected",
              "version": "8.1",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Cloud NGFW",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "All"
            }
          ]
        },
        {
          "product": "Prisma Access",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "All"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Palo Alto Networks thanks the security researcher that discovered and reported this issue."
        }
      ],
      "datePublic": "2022-10-12T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "An authentication bypass vulnerability in the Palo Alto Networks PAN-OS 8.1 web interface allows a network-based attacker with specific knowledge of the target firewall or Panorama appliance to impersonate an existing PAN-OS administrator and perform privileged actions."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-290",
              "description": "CWE-290 Authentication Bypass by Spoofing",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-12T00:00:00.000Z",
        "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
        "shortName": "palo_alto"
      },
      "references": [
        {
          "url": "https://security.paloaltonetworks.com/CVE-2022-0030"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "This issue is fixed in PAN-OS 8.1.24 and all later PAN-OS versions.\n\nPlease note that PAN-OS 8.1 has reached its software end-of-life (EoL) and is supported only on PA-200, PA-500, and PA-5000 Series firewalls and on M-100 appliances and only until each of their respective hardware EoL dates:  https://www.paloaltonetworks.com/services/support/end-of-life-announcements/hardware-end-of-life-dates.html."
        }
      ],
      "source": {
        "defect": [
          "PAN-195571"
        ],
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2022-10-12T00:00:00",
          "value": "Initial publication"
        }
      ],
      "title": "PAN-OS: Authentication Bypass in Web Interface",
      "workarounds": [
        {
          "lang": "en",
          "value": "Customers with a Threat Prevention subscription can block known attacks for this vulnerability by enabling Threat ID 92720 (Applications and Threats content update 8630-7638).\n\nTo exploit this issue, the attacker must have network access to the PAN-OS web interface. You can mitigate the impact of this issue by following best practices for securing the PAN-OS web interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
    "assignerShortName": "palo_alto",
    "cveId": "CVE-2022-0030",
    "datePublished": "2022-10-12T16:30:12.300Z",
    "dateReserved": "2021-12-28T00:00:00.000Z",
    "dateUpdated": "2025-05-15T14:00:04.162Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-0130 (GCVE-0-2025-0130)
Vulnerability from
Published
2025-05-14 17:37
Modified
2025-05-15 13:49
Severity ?
8.2 (High) - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:C/RE:L/U:Amber
CWE
  • CWE-754 - Improper Check for Unusual or Exceptional Conditions
Summary
A missing exception check in Palo Alto Networks PAN-OS® software with the web proxy feature enabled allows an unauthenticated attacker to send a burst of maliciously crafted packets that causes the firewall to become unresponsive and eventually reboot. Repeated successful attempts to trigger this condition will cause the firewall to enter maintenance mode. This issue does not affect Cloud NGFW or Prisma Access.
References
Impacted products
Vendor Product Version
Palo Alto Networks Cloud NGFW Patch: All
 Create a notification for this product.
   Palo Alto Networks PAN-OS Version: 11.2.0   < 11.2.5
Version: 11.1.0   < 11.1.6-h1
Patch: 10.2.0
Patch: 10.1.0
    cpe:2.3:o:paloaltonetworks:pan-os:11.2.4:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.2.3:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.6:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.5:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:*:*:*:*:*:*:*
 Create a notification for this product.
   Palo Alto Networks Prisma Access Patch: All
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-0130",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-15T13:49:38.778018Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-15T13:49:45.683Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Cloud NGFW",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "All",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:o:paloaltonetworks:pan-os:11.2.4:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.2.3:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.6:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.5:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "PAN-OS",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "changes": [
                {
                  "at": "11.2.5",
                  "status": "unaffected"
                }
              ],
              "lessThan": "11.2.5",
              "status": "affected",
              "version": "11.2.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "11.1.6-h1",
                  "status": "unaffected"
                },
                {
                  "at": "11.1.7-h2",
                  "status": "unaffected"
                },
                {
                  "at": "11.1.8",
                  "status": "unaffected"
                }
              ],
              "lessThan": "11.1.6-h1",
              "status": "affected",
              "version": "11.1.0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "10.2.0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "10.1.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Prisma Access",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "All",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "This issue only affects PAN-OS firewalls that have the web proxy feature enabled. This feature is only available on PAN-OS 11.0 and above. Additionally a license is required to use the web proxy feature.\u003cbr\u003eTo verify if you have configured web proxy on your PAN-OS device, see our \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxyhttps://\"\u003edocumentation regarding the web proxy feature\u003c/a\u003e."
            }
          ],
          "value": "This issue only affects PAN-OS firewalls that have the web proxy feature enabled. This feature is only available on PAN-OS 11.0 and above. Additionally a license is required to use the web proxy feature.\nTo verify if you have configured web proxy on your PAN-OS device, see our  documentation regarding the web proxy feature https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxyhttps:// ."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jari Pietila of Palo Alto Networks"
        }
      ],
      "datePublic": "2025-05-14T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": true,
              "type": "text/html",
              "value": "\u003cp\u003eA missing exception check in Palo Alto Networks PAN-OS\u00ae software with the web proxy feature enabled allows an unauthenticated attacker to send a burst of maliciously crafted packets that causes the firewall to become unresponsive and eventually reboot. Repeated successful attempts to trigger this condition will cause the firewall to enter maintenance mode.\u003c/p\u003e\u003cp\u003eThis issue does not affect Cloud NGFW or Prisma Access.\u003c/p\u003e"
            }
          ],
          "value": "A missing exception check in Palo Alto Networks PAN-OS\u00ae software with the web proxy feature enabled allows an unauthenticated attacker to send a burst of maliciously crafted packets that causes the firewall to become unresponsive and eventually reboot. Repeated successful attempts to trigger this condition will cause the firewall to enter maintenance mode.\n\nThis issue does not affect Cloud NGFW or Prisma Access."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
            }
          ],
          "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-583",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-583 Disabling Network Hardware"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "USER",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "CONCENTRATED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:C/RE:L/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-754",
              "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-14T17:37:40.937Z",
        "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
        "shortName": "palo_alto"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.paloaltonetworks.com/CVE-2025-0130"
        }
      ],
      "solutions": [
        {
          "lang": "eng",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003ctable class=\"tbl\"\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003cbr\u003e\u003c/th\u003e\u003cth\u003eMinor Version\u003cbr\u003e\u003c/th\u003e\u003cth\u003eSuggested Solution\u003cbr\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 11.2\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e11.2.0 through 11.2.4\u003c/td\u003e\u003ctd\u003eUpgrade to 11.2.5 or later.\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 11.1\u003c/td\u003e\u003ctd\u003e11.1.0 through 11.1.7\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eUpgrade to 11.1.7-h2 or 11.1.8 or later.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e11.1.0 through 11.1.6\u003c/td\u003e\u003ctd\u003eUpgrade to 11.1.6-h1 or 11.1.8 or later.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 11.0 (EoL)\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eUpgrade to a supported fixed version.\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 10.2\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 10.1\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAll other\u003cbr\u003eunsupported\u003cbr\u003ePAN-OS versions\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003eUpgrade to a supported fixed version.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"
            }
          ],
          "value": "Version\nMinor Version\nSuggested Solution\nPAN-OS 11.2\n11.2.0 through 11.2.4Upgrade to 11.2.5 or later.\nPAN-OS 11.111.1.0 through 11.1.7\nUpgrade to 11.1.7-h2 or 11.1.8 or later.\u00a011.1.0 through 11.1.6Upgrade to 11.1.6-h1 or 11.1.8 or later.PAN-OS 11.0 (EoL)\n\nUpgrade to a supported fixed version.\nPAN-OS 10.2\nNo action needed.PAN-OS 10.1\nNo action needed.All other\nunsupported\nPAN-OS versions\u00a0Upgrade to a supported fixed version."
        }
      ],
      "source": {
        "defect": [
          "PAN-273308"
        ],
        "discovery": "INTERNAL"
      },
      "timeline": [
        {
          "lang": "eng",
          "time": "2025-05-14T16:00:00.000Z",
          "value": "Initial publication"
        }
      ],
      "title": "PAN-OS: Firewall Denial-of-Service (DoS) in the Web-Proxy Feature via a Burst of Maliciously Crafted Packets",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "If you are not using the web proxy feature, you can disable it to mitigate this issue. For more information regarding the web proxy feature, see our \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxyhttps://\"\u003edocumentation regarding the web proxy feature\u003c/a\u003e."
            }
          ],
          "value": "If you are not using the web proxy feature, you can disable it to mitigate this issue. For more information regarding the web proxy feature, see our  documentation regarding the web proxy feature https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxyhttps:// ."
        }
      ],
      "x_affectedList": [
        "PAN-OS 11.2.4-h7",
        "PAN-OS 11.2.4-h6",
        "PAN-OS 11.2.4-h5",
        "PAN-OS 11.2.4-h4",
        "PAN-OS 11.2.4-h3",
        "PAN-OS 11.2.4-h2",
        "PAN-OS 11.2.4-h1",
        "PAN-OS 11.2.4",
        "PAN-OS 11.2.3-h5",
        "PAN-OS 11.2.3-h4",
        "PAN-OS 11.2.3-h3",
        "PAN-OS 11.2.3-h2",
        "PAN-OS 11.2.3-h1",
        "PAN-OS 11.2.3",
        "PAN-OS 11.2.2-h2",
        "PAN-OS 11.2.2-h1",
        "PAN-OS 11.2.1-h1",
        "PAN-OS 11.2.1",
        "PAN-OS 11.2.0-h1",
        "PAN-OS 11.2.0",
        "PAN-OS 11.1.6",
        "PAN-OS 11.1.5-h1",
        "PAN-OS 11.1.5",
        "PAN-OS 11.1.4-h18",
        "PAN-OS 11.1.4-h17",
        "PAN-OS 11.1.4-h15",
        "PAN-OS 11.1.4-h13",
        "PAN-OS 11.1.4-h12",
        "PAN-OS 11.1.4-h11",
        "PAN-OS 11.1.4-h10",
        "PAN-OS 11.1.4-h9",
        "PAN-OS 11.1.4-h8",
        "PAN-OS 11.1.4-h7",
        "PAN-OS 11.1.4-h6",
        "PAN-OS 11.1.4-h5",
        "PAN-OS 11.1.4-h4",
        "PAN-OS 11.1.4-h3",
        "PAN-OS 11.1.4-h2",
        "PAN-OS 11.1.4-h1",
        "PAN-OS 11.1.4",
        "PAN-OS 11.1.3-h13",
        "PAN-OS 11.1.3-h12",
        "PAN-OS 11.1.3-h11",
        "PAN-OS 11.1.3-h10",
        "PAN-OS 11.1.3-h9",
        "PAN-OS 11.1.3-h8",
        "PAN-OS 11.1.3-h7",
        "PAN-OS 11.1.3-h6",
        "PAN-OS 11.1.3-h5",
        "PAN-OS 11.1.3-h4",
        "PAN-OS 11.1.3-h3",
        "PAN-OS 11.1.3-h2",
        "PAN-OS 11.1.3-h1",
        "PAN-OS 11.1.3",
        "PAN-OS 11.1.2-h18",
        "PAN-OS 11.1.2-h17",
        "PAN-OS 11.1.2-h16",
        "PAN-OS 11.1.2-h15",
        "PAN-OS 11.1.2-h14",
        "PAN-OS 11.1.2-h13",
        "PAN-OS 11.1.2-h12",
        "PAN-OS 11.1.2-h11",
        "PAN-OS 11.1.2-h10",
        "PAN-OS 11.1.2-h9",
        "PAN-OS 11.1.2-h8",
        "PAN-OS 11.1.2-h7",
        "PAN-OS 11.1.2-h6",
        "PAN-OS 11.1.2-h5",
        "PAN-OS 11.1.2-h4",
        "PAN-OS 11.1.2-h3",
        "PAN-OS 11.1.2-h2",
        "PAN-OS 11.1.2-h1",
        "PAN-OS 11.1.2",
        "PAN-OS 11.1.1-h2",
        "PAN-OS 11.1.1-h1",
        "PAN-OS 11.1.1",
        "PAN-OS 11.1.0-h4",
        "PAN-OS 11.1.0-h3",
        "PAN-OS 11.1.0-h2",
        "PAN-OS 11.1.0-h1",
        "PAN-OS 11.1.0"
      ],
      "x_generator": {
        "engine": "vulnogram 0.1.0-rc1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
    "assignerShortName": "palo_alto",
    "cveId": "CVE-2025-0130",
    "datePublished": "2025-05-14T17:37:40.937Z",
    "dateReserved": "2024-12-20T23:23:30.807Z",
    "dateUpdated": "2025-05-15T13:49:45.683Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-0137 (GCVE-0-2025-0137)
Vulnerability from
Published
2025-05-14 18:09
Modified
2025-05-14 20:49
Severity ?
4.8 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:C/RE:M/U:Amber
2.0 (Low) - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:C/RE:M/U:Amber
CWE
  • CWE-83 - Improper Neutralization of Script in Attributes in a Web Page
Summary
An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables a malicious authenticated read-write administrator to impersonate another legitimate authenticated PAN-OS administrator. The attacker must have network access to the management web interface to exploit this issue. You greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended critical deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
References
Impacted products
Vendor Product Version
Palo Alto Networks Cloud NGFW Patch: All   < 6.3.3
 Create a notification for this product.
   Palo Alto Networks PAN-OS Version: 11.2.0   < 11.2.5
Version: 11.1.0   < 11.1.8
Version: 10.2.0   < 10.2.13
Version: 10.1.0   < 10.1.14-h14
    cpe:2.3:o:paloaltonetworks:pan-os:11.2.4:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.2.3:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.6:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.5:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.12:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.11:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h13:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h11:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h10:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h9:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h8:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h7:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h6:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h5:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.13:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.12:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.2:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.1:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.0:*:*:*:*:*:*:*
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-0137",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-14T20:49:22.857344Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-14T20:49:31.100Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Cloud NGFW",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "changes": [
                {
                  "at": "6.3.3",
                  "status": "unaffected"
                }
              ],
              "lessThan": "6.3.3",
              "status": "unaffected",
              "version": "All",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:o:paloaltonetworks:pan-os:11.2.4:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.2.3:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.6:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.5:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.12:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.11:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h13:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h11:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h10:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h9:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h8:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h7:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h6:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h5:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.13:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.12:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.2:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.1:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.0:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "PAN-OS",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "changes": [
                {
                  "at": "11.2.5",
                  "status": "unaffected"
                }
              ],
              "lessThan": "11.2.5",
              "status": "affected",
              "version": "11.2.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "11.1.8",
                  "status": "unaffected"
                }
              ],
              "lessThan": "11.1.8",
              "status": "affected",
              "version": "11.1.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "10.2.13",
                  "status": "unaffected"
                }
              ],
              "lessThan": "10.2.13",
              "status": "affected",
              "version": "10.2.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "10.1.14-h14",
                  "status": "unaffected"
                }
              ],
              "lessThan": "10.1.14-h14",
              "status": "affected",
              "version": "10.1.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e \u003c/p\u003e\u003cp\u003eThe risk is greatest if you allow access to the management web interface from the internet or from any untrusted network either:\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cp\u003eDirectly; or\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eThrough a dataplane interface that includes a management interface profile.\u003c/p\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eYou greatly reduce the risk if you ensure that you allow only trusted internal IP addresses to access the management web interface.\u003c/p\u003e\u003cp\u003eUse the following steps to identify your recently detected devices in our internet scans.\u003c/p\u003e\u003col\u003e\u003cli\u003e\u003cp\u003eTo find any assets that require remediation, visit the Assets section of the Customer Support Portal:\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.paloaltonetworks.com\"\u003ehttps://support.paloaltonetworks.com\u003c/a\u003e and then select Products \u2192 Assets \u2192 All Assets \u2192 Remediation Required).\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eReview the list of your assets that we discovered in our scans to have an internet-facing management interface. We tagged these assets with \u2018PAN-SA-2024-0015\u2019 and a last seen timestamp (in UTC). If you do not see any such assets listed, then our scan did not find any devices associated with your account in the past three days that have an internet-facing management interface.\u003cbr\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ol\u003e\u003cdiv\u003e\u003cp\u003eGlobalProtect\u2122 portals and gateways are not vulnerable to this issue. However, if you configure a management profile on interfaces with GlobalProtect portals or gateways, then you are exposing the firewall to attacks through the management web interface (typically accessible on port 4443).\u003c/p\u003e\u003c/div\u003e\u003cb\u003e\u003cp\u003e\u003c/p\u003e\u003c/b\u003e"
            }
          ],
          "value": "The risk is greatest if you allow access to the management web interface from the internet or from any untrusted network either:\n\n  *  Directly; or\n\n\n  *  Through a dataplane interface that includes a management interface profile.\n\n\nYou greatly reduce the risk if you ensure that you allow only trusted internal IP addresses to access the management web interface.\n\nUse the following steps to identify your recently detected devices in our internet scans.\n\n  *  To find any assets that require remediation, visit the Assets section of the Customer Support Portal: https://support.paloaltonetworks.com  and then select Products \u2192 Assets \u2192 All Assets \u2192 Remediation Required).\n\n\n  *  Review the list of your assets that we discovered in our scans to have an internet-facing management interface. We tagged these assets with \u2018PAN-SA-2024-0015\u2019 and a last seen timestamp (in UTC). If you do not see any such assets listed, then our scan did not find any devices associated with your account in the past three days that have an internet-facing management interface.\n\n\n\nGlobalProtect\u2122 portals and gateways are not vulnerable to this issue. However, if you configure a management profile on interfaces with GlobalProtect portals or gateways, then you are exposing the firewall to attacks through the management web interface (typically accessible on port 4443)."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jasper Westerman, Harm Blankers and Yanick de Pater of REQON B.V."
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "a customer"
        }
      ],
      "datePublic": "2025-05-14T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS\u00ae software enables a malicious authenticated read-write administrator to impersonate another legitimate authenticated PAN-OS administrator.\u003cbr\u003e\u003c/p\u003e\u003cb\u003e\u003c/b\u003e\u003cp\u003eThe attacker must have network access to the management web interface to exploit this issue. You greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431\"\u003ecritical deployment guidelines\u003c/a\u003e.\u003c/p\u003e"
            }
          ],
          "value": "An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS\u00ae software enables a malicious authenticated read-write administrator to impersonate another legitimate authenticated PAN-OS administrator.\n\n\nThe attacker must have network access to the management web interface to exploit this issue. You greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended  critical deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 ."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
            }
          ],
          "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-195",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-195 Principal Spoof"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "USER",
            "Safety": "NEGLIGIBLE",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "HIGH",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "CONCENTRATED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:C/RE:M/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "The risk is highest when you allow access to the management interface from external IP addresses on the internet."
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "USER",
            "Safety": "NEGLIGIBLE",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2,
            "baseSeverity": "LOW",
            "privilegesRequired": "HIGH",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "CONCENTRATED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:C/RE:M/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "You can greatly reduce the risk of exploitation by restricting web interface access to a jump box as the only system or source with access to the management interface. This ensures that attacks succeed only if they obtain privileged access through the IP addresses that you specify."
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-83",
              "description": "CWE-83: Improper Neutralization of Script in Attributes in a Web Page",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-14T18:09:32.036Z",
        "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
        "shortName": "palo_alto"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.paloaltonetworks.com/CVE-2025-0137"
        }
      ],
      "solutions": [
        {
          "lang": "eng",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003cbr\u003e\u003c/th\u003e\u003cth\u003eMinor Version\u003cbr\u003e\u003c/th\u003e\u003cth\u003eSuggested Solution\u003cbr\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 11.2\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e11.2.0 through 11.2.4\u003c/td\u003e\u003ctd\u003eUpgrade to 11.2.5 or later\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 11.1\u003c/td\u003e\u003ctd\u003e11.1.0 through 11.1.7\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eUpgrade to 11.1.8 or later\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 10.2\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e10.2.0 through 10.2.12\u003c/td\u003e\u003ctd\u003eUpgrade to 10.2.13 or later\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 10.1\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e10.1.0 through 10.1.14\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eUpgrade to 10.1.14-h14 or later\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAll other\u003cbr\u003eunsupported\u003cbr\u003ePAN-OS versions\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003eUpgrade to a supported fixed version.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"
            }
          ],
          "value": "Version\nMinor Version\nSuggested Solution\nPAN-OS 11.2\n11.2.0 through 11.2.4Upgrade to 11.2.5 or later\nPAN-OS 11.111.1.0 through 11.1.7\nUpgrade to 11.1.8 or laterPAN-OS 10.2\n10.2.0 through 10.2.12Upgrade to 10.2.13 or laterPAN-OS 10.1\n10.1.0 through 10.1.14\nUpgrade to 10.1.14-h14 or later\nAll other\nunsupported\nPAN-OS versions\u00a0Upgrade to a supported fixed version."
        }
      ],
      "source": {
        "defect": [
          "PAN-265549"
        ],
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-05-14T16:00:00.000Z",
          "value": "Initial Publication"
        }
      ],
      "title": "PAN-OS: Improper Neutralization of Input in the Management Web Interface",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003cb\u003eRecommended mitigation\u003c/b\u003e\u2014The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431\"\u003ecritical deployment guidelines\u003c/a\u003e. Specifically, you should restrict management interface access to only trusted internal IP addresses.\u003c/p\u003e\u003cp\u003eReview more information about how to secure management access to your Palo Alto Networks firewalls in these documents:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003ePalo Alto Networks LIVEcommunity article:\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431\"\u003ehttps://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431\u003c/a\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003ePalo Alto Networks official and detailed technical documentation:\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices\"\u003ehttps://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices\u003c/a\u003e\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e"
            }
          ],
          "value": "Recommended mitigation\u2014The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our  https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 \n\n\n\n\n  *  Palo Alto Networks official and detailed technical documentation:\u00a0 https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices"
        }
      ],
      "x_affectedList": [
        "PAN-OS 11.2.4-h7",
        "PAN-OS 11.2.4-h6",
        "PAN-OS 11.2.4-h5",
        "PAN-OS 11.2.4-h4",
        "PAN-OS 11.2.4-h3",
        "PAN-OS 11.2.4-h2",
        "PAN-OS 11.2.4-h1",
        "PAN-OS 11.2.4",
        "PAN-OS 11.2.3-h5",
        "PAN-OS 11.2.3-h4",
        "PAN-OS 11.2.3-h3",
        "PAN-OS 11.2.3-h2",
        "PAN-OS 11.2.3-h1",
        "PAN-OS 11.2.3",
        "PAN-OS 11.2.2-h2",
        "PAN-OS 11.2.2-h1",
        "PAN-OS 11.2.1-h1",
        "PAN-OS 11.2.1",
        "PAN-OS 11.2.0-h1",
        "PAN-OS 11.2.0",
        "PAN-OS 11.1.6-h7",
        "PAN-OS 11.1.6-h6",
        "PAN-OS 11.1.6-h4",
        "PAN-OS 11.1.6-h3",
        "PAN-OS 11.1.6-h2",
        "PAN-OS 11.1.6-h1",
        "PAN-OS 11.1.6",
        "PAN-OS 11.1.5-h1",
        "PAN-OS 11.1.5",
        "PAN-OS 11.1.4-h18",
        "PAN-OS 11.1.4-h17",
        "PAN-OS 11.1.4-h15",
        "PAN-OS 11.1.4-h13",
        "PAN-OS 11.1.4-h12",
        "PAN-OS 11.1.4-h11",
        "PAN-OS 11.1.4-h10",
        "PAN-OS 11.1.4-h9",
        "PAN-OS 11.1.4-h8",
        "PAN-OS 11.1.4-h7",
        "PAN-OS 11.1.4-h6",
        "PAN-OS 11.1.4-h5",
        "PAN-OS 11.1.4-h4",
        "PAN-OS 11.1.4-h3",
        "PAN-OS 11.1.4-h2",
        "PAN-OS 11.1.4-h1",
        "PAN-OS 11.1.4",
        "PAN-OS 11.1.3-h13",
        "PAN-OS 11.1.3-h12",
        "PAN-OS 11.1.3-h11",
        "PAN-OS 11.1.3-h10",
        "PAN-OS 11.1.3-h9",
        "PAN-OS 11.1.3-h8",
        "PAN-OS 11.1.3-h7",
        "PAN-OS 11.1.3-h6",
        "PAN-OS 11.1.3-h5",
        "PAN-OS 11.1.3-h4",
        "PAN-OS 11.1.3-h3",
        "PAN-OS 11.1.3-h2",
        "PAN-OS 11.1.3-h1",
        "PAN-OS 11.1.3",
        "PAN-OS 11.1.2-h18",
        "PAN-OS 11.1.2-h17",
        "PAN-OS 11.1.2-h16",
        "PAN-OS 11.1.2-h15",
        "PAN-OS 11.1.2-h14",
        "PAN-OS 11.1.2-h13",
        "PAN-OS 11.1.2-h12",
        "PAN-OS 11.1.2-h11",
        "PAN-OS 11.1.2-h10",
        "PAN-OS 11.1.2-h9",
        "PAN-OS 11.1.2-h8",
        "PAN-OS 11.1.2-h7",
        "PAN-OS 11.1.2-h6",
        "PAN-OS 11.1.2-h5",
        "PAN-OS 11.1.2-h4",
        "PAN-OS 11.1.2-h3",
        "PAN-OS 11.1.2-h2",
        "PAN-OS 11.1.2-h1",
        "PAN-OS 11.1.2",
        "PAN-OS 11.1.1-h2",
        "PAN-OS 11.1.1-h1",
        "PAN-OS 11.1.1",
        "PAN-OS 11.1.0-h4",
        "PAN-OS 11.1.0-h3",
        "PAN-OS 11.1.0-h2",
        "PAN-OS 11.1.0-h1",
        "PAN-OS 11.1.0",
        "PAN-OS 10.2.12-h6",
        "PAN-OS 10.2.12-h5",
        "PAN-OS 10.2.12-h4",
        "PAN-OS 10.2.12-h3",
        "PAN-OS 10.2.12-h2",
        "PAN-OS 10.2.12-h1",
        "PAN-OS 10.2.12",
        "PAN-OS 10.2.11-h13",
        "PAN-OS 10.2.11-h12",
        "PAN-OS 10.2.11-h11",
        "PAN-OS 10.2.11-h10",
        "PAN-OS 10.2.11-h9",
        "PAN-OS 10.2.11-h8",
        "PAN-OS 10.2.11-h7",
        "PAN-OS 10.2.11-h6",
        "PAN-OS 10.2.11-h5",
        "PAN-OS 10.2.11-h4",
        "PAN-OS 10.2.11-h3",
        "PAN-OS 10.2.11-h2",
        "PAN-OS 10.2.11-h1",
        "PAN-OS 10.2.11",
        "PAN-OS 10.2.10-h18",
        "PAN-OS 10.2.10-h17",
        "PAN-OS 10.2.10-h14",
        "PAN-OS 10.2.10-h13",
        "PAN-OS 10.2.10-h12",
        "PAN-OS 10.2.10-h11",
        "PAN-OS 10.2.10-h10",
        "PAN-OS 10.2.10-h9",
        "PAN-OS 10.2.10-h8",
        "PAN-OS 10.2.10-h7",
        "PAN-OS 10.2.10-h6",
        "PAN-OS 10.2.10-h5",
        "PAN-OS 10.2.10-h4",
        "PAN-OS 10.2.10-h3",
        "PAN-OS 10.2.10-h2",
        "PAN-OS 10.2.10-h1",
        "PAN-OS 10.2.10",
        "PAN-OS 10.2.9-h21",
        "PAN-OS 10.2.9-h20",
        "PAN-OS 10.2.9-h19",
        "PAN-OS 10.2.9-h18",
        "PAN-OS 10.2.9-h17",
        "PAN-OS 10.2.9-h16",
        "PAN-OS 10.2.9-h15",
        "PAN-OS 10.2.9-h14",
        "PAN-OS 10.2.9-h13",
        "PAN-OS 10.2.9-h12",
        "PAN-OS 10.2.9-h11",
        "PAN-OS 10.2.9-h10",
        "PAN-OS 10.2.9-h9",
        "PAN-OS 10.2.9-h8",
        "PAN-OS 10.2.9-h7",
        "PAN-OS 10.2.9-h6",
        "PAN-OS 10.2.9-h5",
        "PAN-OS 10.2.9-h4",
        "PAN-OS 10.2.9-h3",
        "PAN-OS 10.2.9-h2",
        "PAN-OS 10.2.9-h1",
        "PAN-OS 10.2.9",
        "PAN-OS 10.2.8-h21",
        "PAN-OS 10.2.8-h20",
        "PAN-OS 10.2.8-h19",
        "PAN-OS 10.2.8-h18",
        "PAN-OS 10.2.8-h17",
        "PAN-OS 10.2.8-h16",
        "PAN-OS 10.2.8-h15",
        "PAN-OS 10.2.8-h14",
        "PAN-OS 10.2.8-h13",
        "PAN-OS 10.2.8-h12",
        "PAN-OS 10.2.8-h11",
        "PAN-OS 10.2.8-h10",
        "PAN-OS 10.2.8-h9",
        "PAN-OS 10.2.8-h8",
        "PAN-OS 10.2.8-h7",
        "PAN-OS 10.2.8-h6",
        "PAN-OS 10.2.8-h5",
        "PAN-OS 10.2.8-h4",
        "PAN-OS 10.2.8-h3",
        "PAN-OS 10.2.8-h2",
        "PAN-OS 10.2.8-h1",
        "PAN-OS 10.2.8",
        "PAN-OS 10.2.7-h24",
        "PAN-OS 10.2.7-h23",
        "PAN-OS 10.2.7-h22",
        "PAN-OS 10.2.7-h21",
        "PAN-OS 10.2.7-h20",
        "PAN-OS 10.2.7-h19",
        "PAN-OS 10.2.7-h18",
        "PAN-OS 10.2.7-h17",
        "PAN-OS 10.2.7-h16",
        "PAN-OS 10.2.7-h15",
        "PAN-OS 10.2.7-h14",
        "PAN-OS 10.2.7-h13",
        "PAN-OS 10.2.7-h12",
        "PAN-OS 10.2.7-h11",
        "PAN-OS 10.2.7-h10",
        "PAN-OS 10.2.7-h9",
        "PAN-OS 10.2.7-h8",
        "PAN-OS 10.2.7-h7",
        "PAN-OS 10.2.7-h6",
        "PAN-OS 10.2.7-h5",
        "PAN-OS 10.2.7-h4",
        "PAN-OS 10.2.7-h3",
        "PAN-OS 10.2.7-h2",
        "PAN-OS 10.2.7-h1",
        "PAN-OS 10.2.7",
        "PAN-OS 10.2.6-h6",
        "PAN-OS 10.2.6-h5",
        "PAN-OS 10.2.6-h4",
        "PAN-OS 10.2.6-h3",
        "PAN-OS 10.2.6-h2",
        "PAN-OS 10.2.6-h1",
        "PAN-OS 10.2.6",
        "PAN-OS 10.2.5-h9",
        "PAN-OS 10.2.5-h8",
        "PAN-OS 10.2.5-h7",
        "PAN-OS 10.2.5-h6",
        "PAN-OS 10.2.5-h5",
        "PAN-OS 10.2.5-h4",
        "PAN-OS 10.2.5-h3",
        "PAN-OS 10.2.5-h2",
        "PAN-OS 10.2.5-h1",
        "PAN-OS 10.2.5",
        "PAN-OS 10.2.4-h32",
        "PAN-OS 10.2.4-h31",
        "PAN-OS 10.2.4-h30",
        "PAN-OS 10.2.4-h29",
        "PAN-OS 10.2.4-h28",
        "PAN-OS 10.2.4-h27",
        "PAN-OS 10.2.4-h26",
        "PAN-OS 10.2.4-h25",
        "PAN-OS 10.2.4-h24",
        "PAN-OS 10.2.4-h23",
        "PAN-OS 10.2.4-h22",
        "PAN-OS 10.2.4-h21",
        "PAN-OS 10.2.4-h20",
        "PAN-OS 10.2.4-h19",
        "PAN-OS 10.2.4-h18",
        "PAN-OS 10.2.4-h17",
        "PAN-OS 10.2.4-h16",
        "PAN-OS 10.2.4-h15",
        "PAN-OS 10.2.4-h14",
        "PAN-OS 10.2.4-h13",
        "PAN-OS 10.2.4-h12",
        "PAN-OS 10.2.4-h11",
        "PAN-OS 10.2.4-h10",
        "PAN-OS 10.2.4-h9",
        "PAN-OS 10.2.4-h8",
        "PAN-OS 10.2.4-h7",
        "PAN-OS 10.2.4-h6",
        "PAN-OS 10.2.4-h5",
        "PAN-OS 10.2.4-h4",
        "PAN-OS 10.2.4-h3",
        "PAN-OS 10.2.4-h2",
        "PAN-OS 10.2.4-h1",
        "PAN-OS 10.2.4",
        "PAN-OS 10.2.3-h14",
        "PAN-OS 10.2.3-h13",
        "PAN-OS 10.2.3-h12",
        "PAN-OS 10.2.3-h11",
        "PAN-OS 10.2.3-h10",
        "PAN-OS 10.2.3-h9",
        "PAN-OS 10.2.3-h8",
        "PAN-OS 10.2.3-h7",
        "PAN-OS 10.2.3-h6",
        "PAN-OS 10.2.3-h5",
        "PAN-OS 10.2.3-h4",
        "PAN-OS 10.2.3-h3",
        "PAN-OS 10.2.3-h2",
        "PAN-OS 10.2.3-h1",
        "PAN-OS 10.2.3",
        "PAN-OS 10.2.2-h6",
        "PAN-OS 10.2.2-h5",
        "PAN-OS 10.2.2-h4",
        "PAN-OS 10.2.2-h3",
        "PAN-OS 10.2.2-h2",
        "PAN-OS 10.2.2-h1",
        "PAN-OS 10.2.2",
        "PAN-OS 10.2.1-h3",
        "PAN-OS 10.2.1-h2",
        "PAN-OS 10.2.1-h1",
        "PAN-OS 10.2.1",
        "PAN-OS 10.2.0-h4",
        "PAN-OS 10.2.0-h3",
        "PAN-OS 10.2.0-h2",
        "PAN-OS 10.2.0-h1",
        "PAN-OS 10.2.0",
        "PAN-OS 10.1.14-h13",
        "PAN-OS 10.1.14-h11",
        "PAN-OS 10.1.14-h10",
        "PAN-OS 10.1.14-h9",
        "PAN-OS 10.1.14-h8",
        "PAN-OS 10.1.14-h7",
        "PAN-OS 10.1.14-h6",
        "PAN-OS 10.1.14-h5",
        "PAN-OS 10.1.14-h4",
        "PAN-OS 10.1.14-h3",
        "PAN-OS 10.1.14-h2",
        "PAN-OS 10.1.14-h1",
        "PAN-OS 10.1.14",
        "PAN-OS 10.1.13-h5",
        "PAN-OS 10.1.13-h4",
        "PAN-OS 10.1.13-h3",
        "PAN-OS 10.1.13-h2",
        "PAN-OS 10.1.13-h1",
        "PAN-OS 10.1.13",
        "PAN-OS 10.1.12-h3",
        "PAN-OS 10.1.12-h2",
        "PAN-OS 10.1.12-h1",
        "PAN-OS 10.1.12",
        "PAN-OS 10.1.11-h10",
        "PAN-OS 10.1.11-h9",
        "PAN-OS 10.1.11-h8",
        "PAN-OS 10.1.11-h7",
        "PAN-OS 10.1.11-h6",
        "PAN-OS 10.1.11-h5",
        "PAN-OS 10.1.11-h4",
        "PAN-OS 10.1.11-h3",
        "PAN-OS 10.1.11-h2",
        "PAN-OS 10.1.11-h1",
        "PAN-OS 10.1.11",
        "PAN-OS 10.1.10-h9",
        "PAN-OS 10.1.10-h8",
        "PAN-OS 10.1.10-h7",
        "PAN-OS 10.1.10-h6",
        "PAN-OS 10.1.10-h5",
        "PAN-OS 10.1.10-h4",
        "PAN-OS 10.1.10-h3",
        "PAN-OS 10.1.10-h2",
        "PAN-OS 10.1.10-h1",
        "PAN-OS 10.1.10",
        "PAN-OS 10.1.9-h14",
        "PAN-OS 10.1.9-h13",
        "PAN-OS 10.1.9-h12",
        "PAN-OS 10.1.9-h11",
        "PAN-OS 10.1.9-h10",
        "PAN-OS 10.1.9-h9",
        "PAN-OS 10.1.9-h8",
        "PAN-OS 10.1.9-h7",
        "PAN-OS 10.1.9-h6",
        "PAN-OS 10.1.9-h5",
        "PAN-OS 10.1.9-h4",
        "PAN-OS 10.1.9-h3",
        "PAN-OS 10.1.9-h2",
        "PAN-OS 10.1.9-h1",
        "PAN-OS 10.1.9",
        "PAN-OS 10.1.8-h8",
        "PAN-OS 10.1.8-h7",
        "PAN-OS 10.1.8-h6",
        "PAN-OS 10.1.8-h5",
        "PAN-OS 10.1.8-h4",
        "PAN-OS 10.1.8-h3",
        "PAN-OS 10.1.8-h2",
        "PAN-OS 10.1.8-h1",
        "PAN-OS 10.1.8",
        "PAN-OS 10.1.7-h1",
        "PAN-OS 10.1.7",
        "PAN-OS 10.1.6-h9",
        "PAN-OS 10.1.6-h8",
        "PAN-OS 10.1.6-h7",
        "PAN-OS 10.1.6-h6",
        "PAN-OS 10.1.6-h5",
        "PAN-OS 10.1.6-h4",
        "PAN-OS 10.1.6-h3",
        "PAN-OS 10.1.6-h2",
        "PAN-OS 10.1.6-h1",
        "PAN-OS 10.1.6",
        "PAN-OS 10.1.5-h4",
        "PAN-OS 10.1.5-h3",
        "PAN-OS 10.1.5-h2",
        "PAN-OS 10.1.5-h1",
        "PAN-OS 10.1.5",
        "PAN-OS 10.1.4-h6",
        "PAN-OS 10.1.4-h5",
        "PAN-OS 10.1.4-h4",
        "PAN-OS 10.1.4-h3",
        "PAN-OS 10.1.4-h2",
        "PAN-OS 10.1.4-h1",
        "PAN-OS 10.1.4",
        "PAN-OS 10.1.3-h4",
        "PAN-OS 10.1.3-h3",
        "PAN-OS 10.1.3-h2",
        "PAN-OS 10.1.3-h1",
        "PAN-OS 10.1.3",
        "PAN-OS 10.1.2",
        "PAN-OS 10.1.1",
        "PAN-OS 10.1.0"
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
    "assignerShortName": "palo_alto",
    "cveId": "CVE-2025-0137",
    "datePublished": "2025-05-14T18:09:32.036Z",
    "dateReserved": "2024-12-20T23:24:40.079Z",
    "dateUpdated": "2025-05-14T20:49:31.100Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-0136 (GCVE-0-2025-0136)
Vulnerability from
Published
2025-05-14 18:12
Modified
2025-05-14 19:43
Severity ?
5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber
CWE
  • CWE-319 - Cleartext Transmission of Sensitive Information
Summary
Using the AES-128-CCM algorithm for IPSec on certain Palo Alto Networks PAN-OS® firewalls (PA-7500, PA-5400, PA-5400f, PA-3400, PA-1600, PA-1400, and PA-400 Series) leads to unencrypted data transfer to devices that are connected to the PAN-OS firewall through IPSec. This issue does not affect Cloud NGFWs, Prisma® Access instances, or PAN-OS VM-Series firewalls. NOTE: The AES-128-CCM encryption algorithm is not recommended for use.
References
Impacted products
Vendor Product Version
Palo Alto Networks Cloud NGFW Patch: All
 Create a notification for this product.
   Palo Alto Networks PAN-OS Patch: 11.2.0
Version: 11.1.0   < 11.1.5
Version: 11.0.0   < 11.0.7
Version: 10.2.0   < 10.2.11
Version: 10.1.0   < 10.1.14-h14
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.6:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.5:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h13:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h11:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h10:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h9:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h8:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h7:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h6:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h5:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.13:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.12:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.2:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.1:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.0:*:*:*:*:*:*:*
 Create a notification for this product.
   Palo Alto Networks Prisma Access Patch: All
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-0136",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-14T19:43:38.440941Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-14T19:43:47.169Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Cloud NGFW",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "All",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.6:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.5:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h13:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h11:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h10:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h9:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h8:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h7:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h6:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h5:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.13:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.12:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.2:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.1:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.0:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "PAN-OS",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "11.2.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "11.1.5",
                  "status": "unaffected"
                }
              ],
              "lessThan": "11.1.5",
              "status": "affected",
              "version": "11.1.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "11.0.7",
                  "status": "unaffected"
                }
              ],
              "lessThan": "11.0.7",
              "status": "affected",
              "version": "11.0.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "10.2.11",
                  "status": "unaffected"
                }
              ],
              "lessThan": "10.2.11",
              "status": "affected",
              "version": "10.2.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "10.1.14-h14",
                  "status": "unaffected"
                }
              ],
              "lessThan": "10.1.14-h14",
              "status": "affected",
              "version": "10.1.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Prisma Access",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "All",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "You can verify whether you configured AES-128-CCM by checking IPSec profiles on  your \u200b\u200bx86_64 Intel platform based  firewall (Network \u2192  Network Profiles \u2192 IPSec Crypto \u2192 Encryption \u2192 AES-128-CCM)."
            }
          ],
          "value": "You can verify whether you configured AES-128-CCM by checking IPSec profiles on  your \u200b\u200bx86_64 Intel platform based  firewall (Network \u2192  Network Profiles \u2192 IPSec Crypto \u2192 Encryption \u2192 AES-128-CCM)."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Benjamin Bai of Palo Alto Networks"
        }
      ],
      "datePublic": "2025-05-14T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Using the AES-128-CCM algorithm for IPSec on certain Palo Alto Networks PAN-OS\u00ae firewalls (PA-7500, PA-5400, PA-5400f, PA-3400, PA-1600, PA-1400, and PA-400 Series) leads to unencrypted data transfer to devices that are connected to the PAN-OS firewall through IPSec.\u003cbr\u003e\u003cbr\u003eThis issue does not affect Cloud NGFWs, Prisma\u00ae Access instances, or  PAN-OS VM-Series firewalls.\u003cbr\u003e\u003cbr\u003eNOTE: The AES-128-CCM encryption algorithm is not recommended for use."
            }
          ],
          "value": "Using the AES-128-CCM algorithm for IPSec on certain Palo Alto Networks PAN-OS\u00ae firewalls (PA-7500, PA-5400, PA-5400f, PA-3400, PA-1600, PA-1400, and PA-400 Series) leads to unencrypted data transfer to devices that are connected to the PAN-OS firewall through IPSec.\n\nThis issue does not affect Cloud NGFWs, Prisma\u00ae Access instances, or  PAN-OS VM-Series firewalls.\n\nNOTE: The AES-128-CCM encryption algorithm is not recommended for use."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
            }
          ],
          "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-117",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-117 Interception"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "USER",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "CONCENTRATED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-319",
              "description": "CWE-319 Cleartext Transmission of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-14T18:12:14.153Z",
        "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
        "shortName": "palo_alto"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.paloaltonetworks.com/CVE-2025-0136"
        }
      ],
      "solutions": [
        {
          "lang": "eng",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003ctable class=\"tbl\"\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003cbr\u003e\u003c/th\u003e\u003cth\u003eMinor Version\u003cbr\u003e\u003c/th\u003e\u003cth\u003eSuggested Solution\u003cbr\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 11.2\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eNo action needed\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 11.1\u003c/td\u003e\u003ctd\u003e11.1.0 through 11.1.4\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eUpgrade to 11.1.5 or later\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 11.0\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e11.0.0 through 11.0.6\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eUpgrade to 11.0.7 or later\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 10.2\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e10.2.0 through 10.2.10\u003c/td\u003e\u003ctd\u003eUpgrade to 10.2.11 or later\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ePAN-OS 10.1\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e10.1.0 through 10.1.14\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eUpgrade to 10.1.14-h14 or later\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAll other older\u003cbr\u003eunsupported\u003cbr\u003ePAN-OS versions\u003c/td\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003eUpgrade to a supported fixed version.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003e\u003cbr\u003ePAN-OS 11.0 is EoL. We listed it in this section for completeness and because we added a patch for PAN-OS 11.0 before it reached EoL. If you are running PAN-OS 11.0 on any of your firewalls, though, we strongly recommend that you upgrade to a supported (non-EoL) fixed version.\u003c/p\u003e"
            }
          ],
          "value": "Version\nMinor Version\nSuggested Solution\nPAN-OS 11.2\n\nNo action needed\nPAN-OS 11.111.1.0 through 11.1.4\nUpgrade to 11.1.5 or laterPAN-OS 11.0\n11.0.0 through 11.0.6\nUpgrade to 11.0.7 or later\nPAN-OS 10.2\n10.2.0 through 10.2.10Upgrade to 10.2.11 or laterPAN-OS 10.1\n10.1.0 through 10.1.14\nUpgrade to 10.1.14-h14 or later\nAll other older\nunsupported\nPAN-OS versions\u00a0Upgrade to a supported fixed version.\nPAN-OS 11.0 is EoL. We listed it in this section for completeness and because we added a patch for PAN-OS 11.0 before it reached EoL. If you are running PAN-OS 11.0 on any of your firewalls, though, we strongly recommend that you upgrade to a supported (non-EoL) fixed version."
        }
      ],
      "source": {
        "defect": [
          "PAN-250162"
        ],
        "discovery": "INTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-05-14T16:00:00.000Z",
          "value": "Initial Publication"
        }
      ],
      "title": "PAN-OS: Unencrypted Data Transfer when using AES-128-CCM on Intel-based hardware devices",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eConfigure IPSec Crypto encryption to an algorithm that meets current security standards, such as AES-256-GCM or AES-256-CBC, on PA 7500, PA 5400, PA 5400f, PA 3400, PA 1600, PA 1400, and PA 400 series hardware PAN-OS firewalls. For more information on configuring the IPSec Crypto Profiles see our \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/set-up-site-to-site-vpn/define-cryptographic-profiles/define-ipsec-crypto-profiles\"\u003edocumentation\u003c/a\u003e.\u003c/p\u003e"
            }
          ],
          "value": "Configure IPSec Crypto encryption to an algorithm that meets current security standards, such as AES-256-GCM or AES-256-CBC, on PA 7500, PA 5400, PA 5400f, PA 3400, PA 1600, PA 1400, and PA 400 series hardware PAN-OS firewalls. For more information on configuring the IPSec Crypto Profiles see our  documentation https://docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/set-up-site-to-site-vpn/define-cryptographic-profiles/define-ipsec-crypto-profiles ."
        }
      ],
      "x_affectedList": [
        "PAN-OS 11.1.4-h18",
        "PAN-OS 11.1.4-h17",
        "PAN-OS 11.1.4-h15",
        "PAN-OS 11.1.4-h13",
        "PAN-OS 11.1.4-h12",
        "PAN-OS 11.1.4-h11",
        "PAN-OS 11.1.4-h10",
        "PAN-OS 11.1.4-h9",
        "PAN-OS 11.1.4-h8",
        "PAN-OS 11.1.4-h7",
        "PAN-OS 11.1.4-h6",
        "PAN-OS 11.1.4-h5",
        "PAN-OS 11.1.4-h4",
        "PAN-OS 11.1.4-h3",
        "PAN-OS 11.1.4-h2",
        "PAN-OS 11.1.4-h1",
        "PAN-OS 11.1.4",
        "PAN-OS 11.1.3-h13",
        "PAN-OS 11.1.3-h12",
        "PAN-OS 11.1.3-h11",
        "PAN-OS 11.1.3-h10",
        "PAN-OS 11.1.3-h9",
        "PAN-OS 11.1.3-h8",
        "PAN-OS 11.1.3-h7",
        "PAN-OS 11.1.3-h6",
        "PAN-OS 11.1.3-h5",
        "PAN-OS 11.1.3-h4",
        "PAN-OS 11.1.3-h3",
        "PAN-OS 11.1.3-h2",
        "PAN-OS 11.1.3-h1",
        "PAN-OS 11.1.3",
        "PAN-OS 11.1.2-h18",
        "PAN-OS 11.1.2-h17",
        "PAN-OS 11.1.2-h16",
        "PAN-OS 11.1.2-h15",
        "PAN-OS 11.1.2-h14",
        "PAN-OS 11.1.2-h13",
        "PAN-OS 11.1.2-h12",
        "PAN-OS 11.1.2-h11",
        "PAN-OS 11.1.2-h10",
        "PAN-OS 11.1.2-h9",
        "PAN-OS 11.1.2-h8",
        "PAN-OS 11.1.2-h7",
        "PAN-OS 11.1.2-h6",
        "PAN-OS 11.1.2-h5",
        "PAN-OS 11.1.2-h4",
        "PAN-OS 11.1.2-h3",
        "PAN-OS 11.1.2-h2",
        "PAN-OS 11.1.2-h1",
        "PAN-OS 11.1.2",
        "PAN-OS 11.1.1-h2",
        "PAN-OS 11.1.1-h1",
        "PAN-OS 11.1.1",
        "PAN-OS 11.1.0-h4",
        "PAN-OS 11.1.0-h3",
        "PAN-OS 11.1.0-h2",
        "PAN-OS 11.1.0-h1",
        "PAN-OS 11.1.0",
        "PAN-OS 11.0.6-h1",
        "PAN-OS 11.0.6",
        "PAN-OS 11.0.5-h2",
        "PAN-OS 11.0.5-h1",
        "PAN-OS 11.0.5",
        "PAN-OS 11.0.4-h6",
        "PAN-OS 11.0.4-h5",
        "PAN-OS 11.0.4-h4",
        "PAN-OS 11.0.4-h3",
        "PAN-OS 11.0.4-h2",
        "PAN-OS 11.0.4-h1",
        "PAN-OS 11.0.4",
        "PAN-OS 11.0.3-h13",
        "PAN-OS 11.0.3-h12",
        "PAN-OS 11.0.3-h11",
        "PAN-OS 11.0.3-h10",
        "PAN-OS 11.0.3-h9",
        "PAN-OS 11.0.3-h8",
        "PAN-OS 11.0.3-h7",
        "PAN-OS 11.0.3-h6",
        "PAN-OS 11.0.3-h5",
        "PAN-OS 11.0.3-h4",
        "PAN-OS 11.0.3-h3",
        "PAN-OS 11.0.3-h2",
        "PAN-OS 11.0.3-h1",
        "PAN-OS 11.0.3",
        "PAN-OS 11.0.2-h5",
        "PAN-OS 11.0.2-h4",
        "PAN-OS 11.0.2-h3",
        "PAN-OS 11.0.2-h2",
        "PAN-OS 11.0.2-h1",
        "PAN-OS 11.0.2",
        "PAN-OS 11.0.1-h5",
        "PAN-OS 11.0.1-h4",
        "PAN-OS 11.0.1-h3",
        "PAN-OS 11.0.1-h2",
        "PAN-OS 11.0.1-h1",
        "PAN-OS 11.0.1",
        "PAN-OS 11.0.0-h4",
        "PAN-OS 11.0.0-h3",
        "PAN-OS 11.0.0-h2",
        "PAN-OS 11.0.0-h1",
        "PAN-OS 11.0.0",
        "PAN-OS 10.2.10-h18",
        "PAN-OS 10.2.10-h17",
        "PAN-OS 10.2.10-h14",
        "PAN-OS 10.2.10-h13",
        "PAN-OS 10.2.10-h12",
        "PAN-OS 10.2.10-h11",
        "PAN-OS 10.2.10-h10",
        "PAN-OS 10.2.10-h9",
        "PAN-OS 10.2.10-h8",
        "PAN-OS 10.2.10-h7",
        "PAN-OS 10.2.10-h6",
        "PAN-OS 10.2.10-h5",
        "PAN-OS 10.2.10-h4",
        "PAN-OS 10.2.10-h3",
        "PAN-OS 10.2.10-h2",
        "PAN-OS 10.2.10-h1",
        "PAN-OS 10.2.10",
        "PAN-OS 10.2.9-h21",
        "PAN-OS 10.2.9-h20",
        "PAN-OS 10.2.9-h19",
        "PAN-OS 10.2.9-h18",
        "PAN-OS 10.2.9-h17",
        "PAN-OS 10.2.9-h16",
        "PAN-OS 10.2.9-h15",
        "PAN-OS 10.2.9-h14",
        "PAN-OS 10.2.9-h13",
        "PAN-OS 10.2.9-h12",
        "PAN-OS 10.2.9-h11",
        "PAN-OS 10.2.9-h10",
        "PAN-OS 10.2.9-h9",
        "PAN-OS 10.2.9-h8",
        "PAN-OS 10.2.9-h7",
        "PAN-OS 10.2.9-h6",
        "PAN-OS 10.2.9-h5",
        "PAN-OS 10.2.9-h4",
        "PAN-OS 10.2.9-h3",
        "PAN-OS 10.2.9-h2",
        "PAN-OS 10.2.9-h1",
        "PAN-OS 10.2.9",
        "PAN-OS 10.2.8-h21",
        "PAN-OS 10.2.8-h20",
        "PAN-OS 10.2.8-h19",
        "PAN-OS 10.2.8-h18",
        "PAN-OS 10.2.8-h17",
        "PAN-OS 10.2.8-h16",
        "PAN-OS 10.2.8-h15",
        "PAN-OS 10.2.8-h14",
        "PAN-OS 10.2.8-h13",
        "PAN-OS 10.2.8-h12",
        "PAN-OS 10.2.8-h11",
        "PAN-OS 10.2.8-h10",
        "PAN-OS 10.2.8-h9",
        "PAN-OS 10.2.8-h8",
        "PAN-OS 10.2.8-h7",
        "PAN-OS 10.2.8-h6",
        "PAN-OS 10.2.8-h5",
        "PAN-OS 10.2.8-h4",
        "PAN-OS 10.2.8-h3",
        "PAN-OS 10.2.8-h2",
        "PAN-OS 10.2.8-h1",
        "PAN-OS 10.2.8",
        "PAN-OS 10.2.7-h24",
        "PAN-OS 10.2.7-h23",
        "PAN-OS 10.2.7-h22",
        "PAN-OS 10.2.7-h21",
        "PAN-OS 10.2.7-h20",
        "PAN-OS 10.2.7-h19",
        "PAN-OS 10.2.7-h18",
        "PAN-OS 10.2.7-h17",
        "PAN-OS 10.2.7-h16",
        "PAN-OS 10.2.7-h15",
        "PAN-OS 10.2.7-h14",
        "PAN-OS 10.2.7-h13",
        "PAN-OS 10.2.7-h12",
        "PAN-OS 10.2.7-h11",
        "PAN-OS 10.2.7-h10",
        "PAN-OS 10.2.7-h9",
        "PAN-OS 10.2.7-h8",
        "PAN-OS 10.2.7-h7",
        "PAN-OS 10.2.7-h6",
        "PAN-OS 10.2.7-h5",
        "PAN-OS 10.2.7-h4",
        "PAN-OS 10.2.7-h3",
        "PAN-OS 10.2.7-h2",
        "PAN-OS 10.2.7-h1",
        "PAN-OS 10.2.7",
        "PAN-OS 10.2.6-h6",
        "PAN-OS 10.2.6-h5",
        "PAN-OS 10.2.6-h4",
        "PAN-OS 10.2.6-h3",
        "PAN-OS 10.2.6-h2",
        "PAN-OS 10.2.6-h1",
        "PAN-OS 10.2.6",
        "PAN-OS 10.2.5-h9",
        "PAN-OS 10.2.5-h8",
        "PAN-OS 10.2.5-h7",
        "PAN-OS 10.2.5-h6",
        "PAN-OS 10.2.5-h5",
        "PAN-OS 10.2.5-h4",
        "PAN-OS 10.2.5-h3",
        "PAN-OS 10.2.5-h2",
        "PAN-OS 10.2.5-h1",
        "PAN-OS 10.2.5",
        "PAN-OS 10.2.4-h32",
        "PAN-OS 10.2.4-h31",
        "PAN-OS 10.2.4-h30",
        "PAN-OS 10.2.4-h29",
        "PAN-OS 10.2.4-h28",
        "PAN-OS 10.2.4-h27",
        "PAN-OS 10.2.4-h26",
        "PAN-OS 10.2.4-h25",
        "PAN-OS 10.2.4-h24",
        "PAN-OS 10.2.4-h23",
        "PAN-OS 10.2.4-h22",
        "PAN-OS 10.2.4-h21",
        "PAN-OS 10.2.4-h20",
        "PAN-OS 10.2.4-h19",
        "PAN-OS 10.2.4-h18",
        "PAN-OS 10.2.4-h17",
        "PAN-OS 10.2.4-h16",
        "PAN-OS 10.2.4-h15",
        "PAN-OS 10.2.4-h14",
        "PAN-OS 10.2.4-h13",
        "PAN-OS 10.2.4-h12",
        "PAN-OS 10.2.4-h11",
        "PAN-OS 10.2.4-h10",
        "PAN-OS 10.2.4-h9",
        "PAN-OS 10.2.4-h8",
        "PAN-OS 10.2.4-h7",
        "PAN-OS 10.2.4-h6",
        "PAN-OS 10.2.4-h5",
        "PAN-OS 10.2.4-h4",
        "PAN-OS 10.2.4-h3",
        "PAN-OS 10.2.4-h2",
        "PAN-OS 10.2.4-h1",
        "PAN-OS 10.2.4",
        "PAN-OS 10.2.3-h14",
        "PAN-OS 10.2.3-h13",
        "PAN-OS 10.2.3-h12",
        "PAN-OS 10.2.3-h11",
        "PAN-OS 10.2.3-h10",
        "PAN-OS 10.2.3-h9",
        "PAN-OS 10.2.3-h8",
        "PAN-OS 10.2.3-h7",
        "PAN-OS 10.2.3-h6",
        "PAN-OS 10.2.3-h5",
        "PAN-OS 10.2.3-h4",
        "PAN-OS 10.2.3-h3",
        "PAN-OS 10.2.3-h2",
        "PAN-OS 10.2.3-h1",
        "PAN-OS 10.2.3",
        "PAN-OS 10.2.2-h6",
        "PAN-OS 10.2.2-h5",
        "PAN-OS 10.2.2-h4",
        "PAN-OS 10.2.2-h3",
        "PAN-OS 10.2.2-h2",
        "PAN-OS 10.2.2-h1",
        "PAN-OS 10.2.2",
        "PAN-OS 10.2.1-h3",
        "PAN-OS 10.2.1-h2",
        "PAN-OS 10.2.1-h1",
        "PAN-OS 10.2.1",
        "PAN-OS 10.2.0-h4",
        "PAN-OS 10.2.0-h3",
        "PAN-OS 10.2.0-h2",
        "PAN-OS 10.2.0-h1",
        "PAN-OS 10.2.0",
        "PAN-OS 10.1.14-h13",
        "PAN-OS 10.1.14-h11",
        "PAN-OS 10.1.14-h10",
        "PAN-OS 10.1.14-h9",
        "PAN-OS 10.1.14-h8",
        "PAN-OS 10.1.14-h7",
        "PAN-OS 10.1.14-h6",
        "PAN-OS 10.1.14-h5",
        "PAN-OS 10.1.14-h4",
        "PAN-OS 10.1.14-h3",
        "PAN-OS 10.1.14-h2",
        "PAN-OS 10.1.14-h1",
        "PAN-OS 10.1.14",
        "PAN-OS 10.1.13-h5",
        "PAN-OS 10.1.13-h4",
        "PAN-OS 10.1.13-h3",
        "PAN-OS 10.1.13-h2",
        "PAN-OS 10.1.13-h1",
        "PAN-OS 10.1.13",
        "PAN-OS 10.1.12-h3",
        "PAN-OS 10.1.12-h2",
        "PAN-OS 10.1.12-h1",
        "PAN-OS 10.1.12",
        "PAN-OS 10.1.11-h10",
        "PAN-OS 10.1.11-h9",
        "PAN-OS 10.1.11-h8",
        "PAN-OS 10.1.11-h7",
        "PAN-OS 10.1.11-h6",
        "PAN-OS 10.1.11-h5",
        "PAN-OS 10.1.11-h4",
        "PAN-OS 10.1.11-h3",
        "PAN-OS 10.1.11-h2",
        "PAN-OS 10.1.11-h1",
        "PAN-OS 10.1.11",
        "PAN-OS 10.1.10-h9",
        "PAN-OS 10.1.10-h8",
        "PAN-OS 10.1.10-h7",
        "PAN-OS 10.1.10-h6",
        "PAN-OS 10.1.10-h5",
        "PAN-OS 10.1.10-h4",
        "PAN-OS 10.1.10-h3",
        "PAN-OS 10.1.10-h2",
        "PAN-OS 10.1.10-h1",
        "PAN-OS 10.1.10",
        "PAN-OS 10.1.9-h14",
        "PAN-OS 10.1.9-h13",
        "PAN-OS 10.1.9-h12",
        "PAN-OS 10.1.9-h11",
        "PAN-OS 10.1.9-h10",
        "PAN-OS 10.1.9-h9",
        "PAN-OS 10.1.9-h8",
        "PAN-OS 10.1.9-h7",
        "PAN-OS 10.1.9-h6",
        "PAN-OS 10.1.9-h5",
        "PAN-OS 10.1.9-h4",
        "PAN-OS 10.1.9-h3",
        "PAN-OS 10.1.9-h2",
        "PAN-OS 10.1.9-h1",
        "PAN-OS 10.1.9",
        "PAN-OS 10.1.8-h8",
        "PAN-OS 10.1.8-h7",
        "PAN-OS 10.1.8-h6",
        "PAN-OS 10.1.8-h5",
        "PAN-OS 10.1.8-h4",
        "PAN-OS 10.1.8-h3",
        "PAN-OS 10.1.8-h2",
        "PAN-OS 10.1.8-h1",
        "PAN-OS 10.1.8",
        "PAN-OS 10.1.7-h1",
        "PAN-OS 10.1.7",
        "PAN-OS 10.1.6-h9",
        "PAN-OS 10.1.6-h8",
        "PAN-OS 10.1.6-h7",
        "PAN-OS 10.1.6-h6",
        "PAN-OS 10.1.6-h5",
        "PAN-OS 10.1.6-h4",
        "PAN-OS 10.1.6-h3",
        "PAN-OS 10.1.6-h2",
        "PAN-OS 10.1.6-h1",
        "PAN-OS 10.1.6",
        "PAN-OS 10.1.5-h4",
        "PAN-OS 10.1.5-h3",
        "PAN-OS 10.1.5-h2",
        "PAN-OS 10.1.5-h1",
        "PAN-OS 10.1.5",
        "PAN-OS 10.1.4-h6",
        "PAN-OS 10.1.4-h5",
        "PAN-OS 10.1.4-h4",
        "PAN-OS 10.1.4-h3",
        "PAN-OS 10.1.4-h2",
        "PAN-OS 10.1.4-h1",
        "PAN-OS 10.1.4",
        "PAN-OS 10.1.3-h4",
        "PAN-OS 10.1.3-h3",
        "PAN-OS 10.1.3-h2",
        "PAN-OS 10.1.3-h1",
        "PAN-OS 10.1.3",
        "PAN-OS 10.1.2",
        "PAN-OS 10.1.1",
        "PAN-OS 10.1.0"
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
    "assignerShortName": "palo_alto",
    "cveId": "CVE-2025-0136",
    "datePublished": "2025-05-14T18:12:14.153Z",
    "dateReserved": "2024-12-20T23:24:32.158Z",
    "dateUpdated": "2025-05-14T19:43:47.169Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-5920 (GCVE-0-2024-5920)
Vulnerability from
Published
2024-11-14 09:40
Modified
2025-04-30 18:39
Severity ?
4.6 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-write Panorama administrator to push a specially crafted configuration to a PAN-OS node. This enables impersonation of a legitimate PAN-OS administrator who can perform restricted actions on the PAN-OS node after the execution of JavaScript in the legitimate PAN-OS administrator's browser.
References
Impacted products
Vendor Product Version
Palo Alto Networks Cloud NGFW Create a notification for this product.
   Palo Alto Networks PAN-OS Version: 11.1.0   < 11.1.4
Version: 11.0.0   < 11.0.6
Version: 10.2.0   < 10.2.7-h24
Version: 10.1.0   < 10.1.14
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h10:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h9:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h8:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h7:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h6:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h5:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h14:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h13:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h12:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h11:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h10:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h9:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h8:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h7:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h6:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h5:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.5:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.5:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h5:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h12:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h11:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h10:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h9:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h8:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h7:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h6:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h5:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h7:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h6:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h5:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h14:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h13:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h12:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h11:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h10:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h9:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h8:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h7:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h6:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h5:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h13:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h12:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h11:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h10:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h9:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h8:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h7:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h6:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h5:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h16:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h15:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h14:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h13:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h12:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h11:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h10:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h9:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h8:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h7:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h6:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h5:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h6:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h5:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h16:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h15:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h14:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h13:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h12:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h11:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h10:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h9:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h8:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h7:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h6:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h5:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h13:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h12:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h11:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h10:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h9:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h8:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h7:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h6:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h5:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h5:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.13:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.13:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.12:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:h5:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h5:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h8:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h7:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h6:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h5:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h7:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h6:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h5:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h8:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h7:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h6:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h5:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h6:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h5:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.2:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.1:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1.0:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.1:-:*:*:*:*:*:*
 Create a notification for this product.
   Palo Alto Networks Prisma Access Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-5920",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-14T18:57:37.177943Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-14T19:35:21.731Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Cloud NGFW",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "All"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h10:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h9:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h8:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h7:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h6:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h5:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h14:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h13:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h12:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h11:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h10:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h9:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h8:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h7:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h6:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h5:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.5:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.5:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h5:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h12:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h11:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h10:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h9:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h8:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h7:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h6:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h5:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h7:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h6:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h5:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h14:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h13:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h12:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h11:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h10:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h9:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h8:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h7:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h6:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h5:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h13:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h12:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h11:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h10:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h9:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h8:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h7:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h6:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h5:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h16:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h15:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h14:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h13:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h12:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h11:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h10:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h9:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h8:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h7:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h6:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h5:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h6:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h5:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h16:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h15:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h14:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h13:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h12:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h11:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h10:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h9:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h8:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h7:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h6:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h5:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h13:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h12:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h11:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h10:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h9:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h8:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h7:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h6:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h5:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h5:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.13:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.13:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.12:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:h5:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h5:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h8:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h7:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h6:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h5:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h7:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h6:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h5:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h8:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h7:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h6:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h5:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h6:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h5:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.2:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.1:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1.0:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.1:-:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "PAN-OS",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "11.2.0"
            },
            {
              "changes": [
                {
                  "at": "11.1.4",
                  "status": "unaffected"
                }
              ],
              "lessThan": "11.1.4",
              "status": "affected",
              "version": "11.1.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "11.0.6",
                  "status": "unaffected"
                }
              ],
              "lessThan": "11.0.6",
              "status": "affected",
              "version": "11.0.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "10.2.11",
                  "status": "unaffected"
                },
                {
                  "at": "10.2.10-h14",
                  "status": "unaffected"
                },
                {
                  "at": "10.2.7-h24",
                  "status": "unaffected"
                }
              ],
              "lessThan": "10.2.7-h24",
              "status": "affected",
              "version": "10.2.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "10.1.14",
                  "status": "unaffected"
                }
              ],
              "lessThan": "10.1.14",
              "status": "affected",
              "version": "10.1.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Prisma Access",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "All"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Kajetan Rostojek"
        }
      ],
      "datePublic": "2024-11-13T18:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-write Panorama administrator to push a specially crafted configuration to a PAN-OS node. This enables impersonation of a legitimate PAN-OS administrator who can perform restricted actions on the PAN-OS node after the execution of JavaScript in the legitimate PAN-OS administrator\u0027s browser."
            }
          ],
          "value": "A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-write Panorama administrator to push a specially crafted configuration to a PAN-OS node. This enables impersonation of a legitimate PAN-OS administrator who can perform restricted actions on the PAN-OS node after the execution of JavaScript in the legitimate PAN-OS administrator\u0027s browser."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
            }
          ],
          "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-592",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-592 Stored XSS"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "USER",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "HIGH",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "CONCENTRATED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-30T18:39:21.484Z",
        "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
        "shortName": "palo_alto"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.paloaltonetworks.com/CVE-2024-5920"
        }
      ],
      "solutions": [
        {
          "lang": "eng",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "This issue is fixed in PAN-OS 10.1.14, PAN-OS 10.2.11, PAN-OS 11.0.6, PAN-OS 11.1.4, and all later PAN-OS versions."
            }
          ],
          "value": "This issue is fixed in PAN-OS 10.1.14, PAN-OS 10.2.11, PAN-OS 11.0.6, PAN-OS 11.1.4, and all later PAN-OS versions."
        }
      ],
      "source": {
        "defect": [
          "PAN-222484"
        ],
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2024-11-13T17:00:00.000Z",
          "value": "Initial publication"
        }
      ],
      "title": "PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in PAN-OS Enables Impersonation of a Legitimate Administrator",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
    "assignerShortName": "palo_alto",
    "cveId": "CVE-2024-5920",
    "datePublished": "2024-11-14T09:40:14.513Z",
    "dateReserved": "2024-06-12T15:27:57.515Z",
    "dateUpdated": "2025-04-30T18:39:21.484Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-9468 (GCVE-0-2024-9468)
Vulnerability from
Published
2024-10-09 17:05
Modified
2025-04-30 18:37
Severity ?
8.2 (High) - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:C/RE:L/U:Amber
CWE
Summary
A memory corruption vulnerability in Palo Alto Networks PAN-OS software allows an unauthenticated attacker to crash PAN-OS due to a crafted packet through the data plane, resulting in a denial of service (DoS) condition. Repeated attempts to trigger this condition will result in PAN-OS entering maintenance mode.
References
Impacted products
Vendor Product Version
Palo Alto Networks Cloud NGFW Patch: All
 Create a notification for this product.
   Palo Alto Networks PAN-OS Patch: 11.2.0
Version: 11.1.0   < 11.1.3
Version: 11.0.0   < 11.0.4-h5
Version: 10.2.0   < 10.2.4-h24
Patch: 10.1.0
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.5:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h10:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h9:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h8:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h7:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h6:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h5:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h19:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h18:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h17:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h16:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h15:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h14:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h13:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h12:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h11:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h10:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h9:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h8:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h7:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h6:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h5:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h23:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h22:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h21:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h20:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h19:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h18:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h17:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h16:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h15:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h14:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h13:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h12:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h11:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h10:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h9:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h8:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h7:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h6:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h5:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h23:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h22:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h21:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h20:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h19:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h18:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h17:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h16:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h15:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h14:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h13:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h12:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h11:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h10:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h9:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h8:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h7:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h6:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h5:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h4:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h3:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h2:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h1:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:-:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:*:*:*:*:*:*:*
    cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*
 Create a notification for this product.
   Palo Alto Networks Prisma Access Patch: All
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-9468",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-09T21:06:48.028506Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-09T21:06:56.884Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Cloud NGFW",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "All",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.5:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h10:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h9:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h8:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h7:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h6:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h5:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h19:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h18:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h17:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h16:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h15:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h14:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h13:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h12:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h11:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h10:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h9:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h8:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h7:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h6:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h5:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h23:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h22:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h21:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h20:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h19:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h18:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h17:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h16:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h15:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h14:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h13:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h12:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h11:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h10:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h9:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h8:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h7:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h6:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h5:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h23:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h22:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h21:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h20:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h19:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h18:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h17:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h16:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h15:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h14:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h13:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h12:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h11:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h10:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h9:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h8:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h7:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h6:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h5:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h4:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h3:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h2:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h1:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:-:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:*:*:*:*:*:*:*",
            "cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "PAN-OS",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "11.2.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "11.1.3",
                  "status": "unaffected"
                }
              ],
              "lessThan": "11.1.3",
              "status": "affected",
              "version": "11.1.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "11.0.4-h5",
                  "status": "unaffected"
                },
                {
                  "at": "11.0.6",
                  "status": "unaffected"
                }
              ],
              "lessThan": "11.0.4-h5",
              "status": "affected",
              "version": "11.0.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "10.2.9-h11",
                  "status": "unaffected"
                },
                {
                  "at": "10.2.10-h4",
                  "status": "unaffected"
                },
                {
                  "at": "10.2.11",
                  "status": "unaffected"
                },
                {
                  "at": "10.2.8-h20",
                  "status": "unaffected"
                },
                {
                  "at": "10.2.7-h24",
                  "status": "unaffected"
                },
                {
                  "at": "10.2.4-h24",
                  "status": "unaffected"
                }
              ],
              "lessThan": "10.2.4-h24",
              "status": "affected",
              "version": "10.2.0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "10.1.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Prisma Access",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "All",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "This issue affects only PAN-OS configurations where both of the following are true:\u003cbr\u003e* Threat Prevention is enabled, and\u003cbr\u003e* The TP signature 86467 (\"Possible Domain Fronting Detection-SNI\") is enabled on an Anti-Spyware profile."
            }
          ],
          "value": "This issue affects only PAN-OS configurations where both of the following are true:\n* Threat Prevention is enabled, and\n* The TP signature 86467 (\"Possible Domain Fronting Detection-SNI\") is enabled on an Anti-Spyware profile."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jeff Luo of Palo Alto Networks"
        }
      ],
      "datePublic": "2024-10-09T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A memory corruption vulnerability in Palo Alto Networks PAN-OS software allows an unauthenticated attacker to crash PAN-OS due to a crafted packet through the data plane, resulting in a denial of service (DoS) condition. Repeated attempts to trigger this condition will result in PAN-OS entering maintenance mode."
            }
          ],
          "value": "A memory corruption vulnerability in Palo Alto Networks PAN-OS software allows an unauthenticated attacker to crash PAN-OS due to a crafted packet through the data plane, resulting in a denial of service (DoS) condition. Repeated attempts to trigger this condition will result in PAN-OS entering maintenance mode."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
            }
          ],
          "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-100",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-100 Overflow Buffers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "USER",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "CONCENTRATED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:C/RE:L/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-30T18:37:25.963Z",
        "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
        "shortName": "palo_alto"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.paloaltonetworks.com/CVE-2024-9468"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "This issue is fixed in 10.2.9-h11, 10.2.10-h4, PAN-OS 10.2.11, PAN-OS 11.0.4-h5, PAN-OS 11.0.6, PAN-OS 11.1.3, and all later PAN-OS versions."
            }
          ],
          "value": "This issue is fixed in 10.2.9-h11, 10.2.10-h4, PAN-OS 10.2.11, PAN-OS 11.0.4-h5, PAN-OS 11.0.6, PAN-OS 11.1.3, and all later PAN-OS versions."
        }
      ],
      "source": {
        "defect": [
          "PAN-244840"
        ],
        "discovery": "INTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2024-10-09T16:00:00.000Z",
          "value": "Initial publication"
        }
      ],
      "title": "PAN-OS: Firewall Denial of Service (DoS) via a Maliciously Crafted Packet",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 94971 (introduced in Applications and Threats content version 8854)."
            }
          ],
          "value": "Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 94971 (introduced in Applications and Threats content version 8854)."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
    "assignerShortName": "palo_alto",
    "cveId": "CVE-2024-9468",
    "datePublished": "2024-10-09T17:05:29.055Z",
    "dateReserved": "2024-10-03T11:35:15.246Z",
    "dateUpdated": "2025-04-30T18:37:25.963Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

displaying 11 - 20 organizations in total 46