7.1

CVE-2025-0127

Media report

A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. This issue is only applicable to PAN-OS VM-Series. This issue does not affect firewalls that are already deployed.

Cloud NGFW and Prisma® Access are not affected by this vulnerability.

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
VendorPalo Alto Networks
Product Cloud NGFW
Default Statusunaffected
Version All
Status unaffected
VendorPalo Alto Networks
Product PAN-OS
Default Statusunaffected
Version 11.2.0
Status unaffected
Version 11.1.0
Status unaffected
Version < 11.0.4
Version 11.0.0
Status affected
Version < 10.2.9
Version 10.2.0
Status affected
Version < 10.1.14-h13
Version 10.1.0
Status affected
VendorPalo Alto Networks
Product Prisma Access
Default Statusunaffected
Version All
Status unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.06% 0.178
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
psirt@paloaltonetworks.com 7.1 0 0
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.