What is the severity of CVE-2025-0111?

CVE-2025-0111 has been classified as a high severity vulnerability due to its potential for unauthorized file access.

How do I fix CVE-2025-0111?

To mitigate CVE-2025-0111, upgrade to PAN-OS versions 10.1.14-h9, 10.2.13-h3, 11.1.6-h1, or 11.2.4-h4.

Who is affected by CVE-2025-0111?

CVE-2025-0111 affects users of Palo Alto Networks PAN-OS, Cloud NGFW, and Prisma Access running vulnerable versions.

What kind of access does CVE-2025-0111 require?

CVE-2025-0111 requires an authenticated attacker to have network access to the management web interface.

What can an attacker do with CVE-2025-0111?

An attacker exploiting CVE-2025-0111 can read files on the PAN-OS filesystem that are accessible by the 'nobody' user.

Vulnerability/
CVE-2025-0111

Exploited

high

7.1

CWE

73 610

12/2/2025

21/2/2025

CVE-2025-0111: PAN-OS: Authenticated File Read Vulnerability in the Management Web Interface (Severity: HIGH)

First published: Wed Feb 12 2025(Updated: )

An authenticated file read vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the “nobody” user. You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue does not affect Cloud NGFW or Prisma Access software.

Credit: psirt@paloaltonetworks.com

Affected Software	Affected Version	How to fix
Palo Alto Networks Cloud NGFW
Palo Alto PAN-OS	<10.1.14-h9=10.1.0<10.2.7-h24=10.2.0<11.1.6-h1=11.1.0<11.2.4-h4=11.2.0	10.1.14-h9 10.2.7-h24 10.2.8-h21 10.2.9-h21 10.2.12-h6 10.2.13-h3 10.2.10-h14 10.2.11-h12 11.1.6-h1 11.1.2-h18 11.2.4-h4
Palo Alto Networks Prisma Access
Palo Alto PAN-OS
Palo Alto Networks PAN-OS	>=10.1.0<10.1.14
Palo Alto Networks PAN-OS	>=10.2.0<10.2.7
Palo Alto Networks PAN-OS	>=10.2.10<10.2.12
Palo Alto Networks PAN-OS	>=11.0.0<11.1.6
Palo Alto Networks PAN-OS	>=11.2.0<11.2.4
Palo Alto Networks PAN-OS	=10.1.14
Palo Alto Networks PAN-OS	=10.1.14-h2
Palo Alto Networks PAN-OS	=10.1.14-h4
Palo Alto Networks PAN-OS	=10.1.14-h6
Palo Alto Networks PAN-OS	=10.1.14-h8
Palo Alto Networks PAN-OS	=10.2.7
Palo Alto Networks PAN-OS	=10.2.7-h1
Palo Alto Networks PAN-OS	=10.2.7-h12
Palo Alto Networks PAN-OS	=10.2.7-h16
Palo Alto Networks PAN-OS	=10.2.7-h18
Palo Alto Networks PAN-OS	=10.2.7-h19
Palo Alto Networks PAN-OS	=10.2.7-h21
Palo Alto Networks PAN-OS	=10.2.7-h3
Palo Alto Networks PAN-OS	=10.2.7-h6
Palo Alto Networks PAN-OS	=10.2.7-h8
Palo Alto Networks PAN-OS	=10.2.8
Palo Alto Networks PAN-OS	=10.2.8-h10
Palo Alto Networks PAN-OS	=10.2.8-h13
Palo Alto Networks PAN-OS	=10.2.8-h15
Palo Alto Networks PAN-OS	=10.2.8-h18
Palo Alto Networks PAN-OS	=10.2.8-h19
Palo Alto Networks PAN-OS	=10.2.8-h3
Palo Alto Networks PAN-OS	=10.2.8-h4
Palo Alto Networks PAN-OS	=10.2.9
Palo Alto Networks PAN-OS	=10.2.9-h1
Palo Alto Networks PAN-OS	=10.2.9-h11
Palo Alto Networks PAN-OS	=10.2.9-h14
Palo Alto Networks PAN-OS	=10.2.9-h16
Palo Alto Networks PAN-OS	=10.2.9-h18
Palo Alto Networks PAN-OS	=10.2.9-h19
Palo Alto Networks PAN-OS	=10.2.9-h9
Palo Alto Networks PAN-OS	=10.2.12
Palo Alto Networks PAN-OS	=10.2.12-h1
Palo Alto Networks PAN-OS	=10.2.12-h2
Palo Alto Networks PAN-OS	=10.2.12-h3
Palo Alto Networks PAN-OS	=10.2.12-h4
Palo Alto Networks PAN-OS	=10.2.13
Palo Alto Networks PAN-OS	=10.2.13-h1
Palo Alto Networks PAN-OS	=10.2.13-h2
Palo Alto Networks PAN-OS	=11.1.6
Palo Alto Networks PAN-OS	=11.2.4
Palo Alto Networks PAN-OS	=11.2.4-h1
Palo Alto Networks PAN-OS	=11.2.4-h2

Remedy

Recommended mitigation—The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our best practices deployment guidelines (https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431). Specifically, you should restrict management interface access to only trusted internal IP addresses. Review information about how to secure management access to your Palo Alto Networks firewalls: * Palo Alto Networks LIVEcommunity article:https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 * Palo Alto Networks official and detailed technical documentation:https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices Additionally, customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 510000 and 510001 (introduced in Applications and Threats content version 8943). https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices

Remedy

VERSION MINOR VERSION SUGGESTED SOLUTION PAN-OS 10.1 10.1.0 through 10.1.14 Upgrade to 10.1.14-h9 or later PAN-OS 10.2 10.2.0 through 10.2.13 Upgrade to 10.2.13-h3 or later 10.2.7 Upgrade to 10.2.7-h24 or 10.2.13-h3 or later 10.2.8 Upgrade to 10.2.8-h21 or 10.2.13-h3 or later 10.2.9 Upgrade to 10.2.9-h21 or 10.2.13-h3 or later 10.2.10 Upgrade to 10.2.10-h14 or 10.2.13-h3 or later 10.2.11 Upgrade to 10.2.11-h12 or 10.2.13-h3 or later 10.2.12 Upgrade to 10.2.12-h6 or 10.2.13-h3 or later PAN-OS 11.0 (EoL) Upgrade to a supported fixed version PAN-OS 11.1 11.1.0 through 11.1.6 Upgrade to 11.1.6-h1 or later 11.1.2 Upgrade to 11.1.2-h18 or 11.1.6-h1 or later PAN-OS 11.2 11.2.0 through 11.2.4 Upgrade to 11.2.4-h4 or later Note: PAN-OS 11.0 reached end of life (EoL) on November 17, 2024. No additional fixes are planned for this release.

Remedy

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Never miss a vulnerability like this again

Reference Links

Peer vulnerabilities

(Found alongside the following vulnerabilities)

Frequently Asked Questions

What is the severity of CVE-2025-0111?
CVE-2025-0111 has been classified as a high severity vulnerability due to its potential for unauthorized file access.
How do I fix CVE-2025-0111?
To mitigate CVE-2025-0111, upgrade to PAN-OS versions 10.1.14-h9, 10.2.13-h3, 11.1.6-h1, or 11.2.4-h4.
Who is affected by CVE-2025-0111?
CVE-2025-0111 affects users of Palo Alto Networks PAN-OS, Cloud NGFW, and Prisma Access running vulnerable versions.
What kind of access does CVE-2025-0111 require?
CVE-2025-0111 requires an authenticated attacker to have network access to the management web interface.
What can an attacker do with CVE-2025-0111?
An attacker exploiting CVE-2025-0111 can read files on the PAN-OS filesystem that are accessible by the 'nobody' user.

agent/first-publish-date
agent/type
agent/author
collector/the-register
source/The Register
alias/CVE-2024-9474
alias/CVE-2025-0108
alias/CVE-2025-0111
collector/bleeping-computer
source/BleepingComputer
collector/darkreading
source/Dark Reading
agent/news-ai
zeroday/true
exploited/true
collector/paloaltonetworks-api
source/Palo Alto Networks
agent/software-canonical-lookup
agent/title
collector/cisa-known-exploited
source/CISA
agent/remedy
agent/source
agent/description
collector/mitre-cve
source/MITRE
alias/CVE-2025-23209
collector/paloaltonetworks-latest
agent/weakness
agent/references
agent/last-modified-date
agent/severity
agent/softwarecombine
agent/tags
agent/event
collector/nvd-api
source/NVD
agent/trending
vendor/palo alto networks
canonical/palo alto networks cloud ngfw
canonical/palo alto pan-os
version/palo alto pan-os/10.1.0
version/palo alto pan-os/10.2.0
version/palo alto pan-os/11.1.0
version/palo alto pan-os/11.2.0
canonical/palo alto networks prisma access
vendor/paloaltonetworks
canonical/palo alto networks pan-os
version/palo alto networks pan-os/10.1.0
version/palo alto networks pan-os/10.2.0
version/palo alto networks pan-os/10.2.10
version/palo alto networks pan-os/11.0.0
version/palo alto networks pan-os/11.2.0
version/palo alto networks pan-os/10.1.14
version/palo alto networks pan-os/10.1.14-h2
version/palo alto networks pan-os/10.1.14-h4
version/palo alto networks pan-os/10.1.14-h6
version/palo alto networks pan-os/10.1.14-h8
version/palo alto networks pan-os/10.2.7
version/palo alto networks pan-os/10.2.7-h1
version/palo alto networks pan-os/10.2.7-h12
version/palo alto networks pan-os/10.2.7-h16
version/palo alto networks pan-os/10.2.7-h18
version/palo alto networks pan-os/10.2.7-h19
version/palo alto networks pan-os/10.2.7-h21
version/palo alto networks pan-os/10.2.7-h3
version/palo alto networks pan-os/10.2.7-h6
version/palo alto networks pan-os/10.2.7-h8
version/palo alto networks pan-os/10.2.8
version/palo alto networks pan-os/10.2.8-h10
version/palo alto networks pan-os/10.2.8-h13
version/palo alto networks pan-os/10.2.8-h15
version/palo alto networks pan-os/10.2.8-h18
version/palo alto networks pan-os/10.2.8-h19
version/palo alto networks pan-os/10.2.8-h3
version/palo alto networks pan-os/10.2.8-h4
version/palo alto networks pan-os/10.2.9
version/palo alto networks pan-os/10.2.9-h1
version/palo alto networks pan-os/10.2.9-h11
version/palo alto networks pan-os/10.2.9-h14
version/palo alto networks pan-os/10.2.9-h16
version/palo alto networks pan-os/10.2.9-h18
version/palo alto networks pan-os/10.2.9-h19
version/palo alto networks pan-os/10.2.9-h9
version/palo alto networks pan-os/10.2.12
version/palo alto networks pan-os/10.2.12-h1
version/palo alto networks pan-os/10.2.12-h2
version/palo alto networks pan-os/10.2.12-h3
version/palo alto networks pan-os/10.2.12-h4
version/palo alto networks pan-os/10.2.13
version/palo alto networks pan-os/10.2.13-h1
version/palo alto networks pan-os/10.2.13-h2
version/palo alto networks pan-os/11.1.6
version/palo alto networks pan-os/11.2.4
version/palo alto networks pan-os/11.2.4-h1
version/palo alto networks pan-os/11.2.4-h2

CVE-2025-0111: PAN-OS: Authenticated File Read Vulnerability in the Management Web Interface (Severity: HIGH)

Remedy

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Peer vulnerabilities

Frequently Asked Questions

What is the severity of CVE-2025-0111?

How do I fix CVE-2025-0111?

Who is affected by CVE-2025-0111?

What kind of access does CVE-2025-0111 require?

What can an attacker do with CVE-2025-0111?

Company

Resources

Contact