CVE-2025-0137

EPSS 0.08%
Veröffentlicht 14.05.2025 18:09:32
Zuletzt bearbeitet 16.05.2025 14:43:56
Quelle psirt@paloaltonetworks.com
Teams Watchlist Login
Unerledigt Login

An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables a malicious authenticated read-write administrator to impersonate another legitimate authenticated PAN-OS administrator.


The attacker must have network access to the management web interface to exploit this issue. You greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended  critical deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerPalo Alto Networks

≫

Produkt Cloud NGFW

Default Statusunaffected

Version < 6.3.3

Version All

Status unaffected

HerstellerPalo Alto Networks

≫

Produkt PAN-OS

Default Statusunaffected

Version < 11.2.5

Version 11.2.0

Status affected

Version < 11.1.8

Version 11.1.0

Status affected

Version < 10.2.13

Version 10.2.0

Status affected

Version < 10.1.14-h14

Version 10.1.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.252

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
psirt@paloaltonetworks.com	4.8	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:C/RE:M/U:Amber

CWE-83 Improper Neutralization of Script in Attributes in a Web Page

The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.

https://security.paloaltonetworks.com/CVE-2025-0137

https://nvd.nist.gov/vuln/detail/CVE-2025-0137

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-0137

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-0137

EUVD