CVE-2025-0111

What is PAN-OS?

Palo Alto Networks PAN-OS is the operating system running on Palo Alto Networks next-generation firewalls (NGFWs) and Panorama centralized management servers. PAN-OS devices serve as network perimeter defenses in enterprise, government, and critical infrastructure environments worldwide, providing firewall policy enforcement, VPN gateway functionality, and threat prevention services. The management web interface provides administrative control over device configuration, policy, and status — and because it is sometimes mistakenly exposed to the internet, it has become a recurring target for initial access.

Overview

CVE-2025-0111 is an authenticated file read vulnerability in the PAN-OS management web interface that allows a low-privileged attacker with network access to the interface to read arbitrary files accessible by the nobody system user. On its own the vulnerability requires authentication; however, it was disclosed the same day as CVE-2025-0108, an authentication bypass in the same interface, creating a two-CVE chain that converts this into an unauthenticated file read. CISA added it to the KEV catalog eight days after publication as exploitation in the wild was confirmed against exposed PAN-OS management interfaces.

Affected Versions

Technical Details

The vulnerability is classified as CWE-73 (External Control of File Name or Path). The management web interface accepts user-supplied path parameters that are insufficiently sanitized, enabling a low-privileged authenticated attacker to traverse the filesystem and read files accessible to the nobody user account. On PAN-OS, such files can include configuration exports, internal state files, and data that may reveal sensitive information about the device's configuration or the network it protects.

The critical risk multiplier is the chaining scenario with CVE-2025-0108 (an authentication bypass in the same management web interface, also published February 12, 2025). Combined:

1. CVE-2025-0108 bypasses authentication, granting unauthenticated access to management interface functions.
2. CVE-2025-0111 reads arbitrary nobody-readable files from the filesystem.

Public proof-of-concept exploit code combining the two vulnerabilities appeared quickly after disclosure. The attack requires network reachability to the management interface — which should never be internet-exposed per Palo Alto's own hardening guidance, but routinely is.

Discovery

Both CVE-2025-0111 and CVE-2025-0108 were disclosed by Palo Alto Networks on February 12, 2025. Security research including work by Assetnote contributed to the discovery of management interface vulnerabilities in PAN-OS around this period.

Exploitation Context

Exploitation of the CVE-2025-0108 + CVE-2025-0111 chain was confirmed in the wild. GreyNoise and other threat intelligence providers recorded scanning and exploitation activity targeting exposed PAN-OS management interfaces within days of the advisory. Palo Alto Networks initially reported exploitation against "a limited number of devices," but the attack surface expanded as public exploit code became available. Sensitive files — including configuration data, session tokens, and credential material — were primary exfiltration targets. Organizations with internet-facing PAN-OS management interfaces (contrary to vendor guidance) were at greatest risk.

Remediation

1. Apply the PAN-OS fixed versions (11.2.4-h4, 11.1.6-h1, 10.2.13-h3, or 10.1.14-h9 as appropriate for your version branch).
2. Immediately restrict management interface network access — the interface must not be reachable from the internet. Restrict to trusted management IP ranges or a dedicated out-of-band management network only.
3. If patching is not immediately possible, temporarily disable the HTTPS management web interface and use SSH-only administrative access.
4. Review management interface access logs for unusual path traversal patterns (e.g., ../ sequences in request URIs) or requests to unexpected file paths.
5. Rotate any credentials or sensitive data stored in PAN-OS configuration files if exploitation of internet-exposed devices cannot be ruled out.
6. If you have Threat Prevention enabled, verify that content signatures covering CVE-2025-0108 and CVE-2025-0111 are active.