An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables a malicious authenticated read-write administrator to impersonate another legitimate authenticated PAN-OS administrator.


The attacker must have network access to the management web interface to exploit this issue. You greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended critical deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .

This issue does not affect Cloud NGFW and all Prisma® Access instances.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Vendors Products
Paloaltonetworks
  • Pan-os

No data.

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

Recommended mitigation—The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our critical deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . Specifically, you should restrict management interface access to only trusted internal IP addresses. Review information about how to secure management access to your Palo Alto Networks firewalls: * Palo Alto Networks LIVEcommunity article:  https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 * Palo Alto Networks official and detailed technical documentation:  https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices

References
Link Providers
https://security.paloaltonetworks.com/CVE-2025-0125 cve-icon cve-icon
History

Fri, 11 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 11 Apr 2025 02:15:00 +0000

Type Values Removed Values Added
Description An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables a malicious authenticated read-write administrator to impersonate another legitimate authenticated PAN-OS administrator. The attacker must have network access to the management web interface to exploit this issue. You greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended critical deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue does not affect Cloud NGFW and all Prisma® Access instances.
Title PAN-OS: Improper Neutralization of Input in the Management Web Interface
First Time appeared Paloaltonetworks
Paloaltonetworks pan-os
Weaknesses CWE-83
CPEs cpe:2.3:o:paloaltonetworks:pan-os:10.1.0:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.12:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.13:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h10:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h2:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h3:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h4:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h5:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h6:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h7:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h8:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h9:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.1:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.2:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.5:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.3:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.4:*:*:*:*:*:*:*
Vendors & Products Paloaltonetworks
Paloaltonetworks pan-os
References
Metrics cvssV4_0

{'score': 5.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:C/RE:M/U:Amber'}
cve-icon MITRE

Status: PUBLISHED

Assigner: palo_alto

Published:

Updated: 2025-04-11T16:02:10.176Z

Reserved: 2024-12-20T23:23:26.210Z

Link: CVE-2025-0125

cve-icon Vulnrichment

Updated: 2025-04-11T15:35:50.834Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-04-11T02:15:18.820

Modified: 2025-04-11T15:39:52.920

Link: CVE-2025-0125

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.