SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-0111

CVE-2025-0111: PAN-OS Information Disclosure Vulnerability

CVE-2025-0111 is an authenticated file read vulnerability in Palo Alto Networks PAN-OS that allows attackers with management web interface access to read sensitive files. This article covers technical details, impact, and mitigation.

Updated:

CVE-2025-0111 Overview

An authenticated file read vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the "nobody" user.

You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines here.

Critical Impact

Allows unauthorized access to critical files, potentially exposing sensitive information.

Affected Products

  • Palo Alto Networks PAN-OS 10.1.14
  • Palo Alto Networks PAN-OS 10.2.7
  • Palo Alto Networks PAN-OS 11.2.4

Discovery Timeline

  • Unknown - Vulnerability discovered by Not Available
  • Unknown - Responsible disclosure to Palo Alto Networks
  • Unknown - CVE CVE-2025-0111 assigned
  • Unknown - Palo Alto Networks releases security patch
  • 2025-02-12 - CVE CVE-2025-0111 published to NVD
  • 2025-11-04 - Last updated in NVD database

Technical Details for CVE-2025-0111

Vulnerability Analysis

This vulnerability exploits the ability of an authenticated attacker to read any file on the PAN-OS filesystem that is accessible by the "nobody" user. This could potentially lead to exposure of sensitive configuration files or other critical information.

Root Cause

The root cause of this vulnerability is improper access controls on file system resources accessible by the "nobody" user.

Attack Vector

The attack vector is network-based, and requires the attacker to have network access to the management web interface of the affected PAN-OS devices.

python
# Example exploitation code (sanitized)
def exploit(pan_os_url, auth_token):
    import requests
    headers = {'Authorization': f'Bearer {auth_token}'}
    file_to_read = '/etc/passwd'
    response = requests.get(f'{pan_os_url}/api/filesystem?file={file_to_read}', headers=headers)
    return response.text

Detection Methods for CVE-2025-0111

Indicators of Compromise

  • Unusual access logs to the management web interface
  • File reads logged with "nobody" user
  • Access from abnormal IP addresses

Detection Strategies

Utilize network intrusion detection systems (NIDS) to monitor unusual access patterns to the management web interface and correlate with any unexpected file access logs.

Monitoring Recommendations

Regularly review access logs and employ behavioral analytics to detect anomalies in access patterns to the PAN-OS management interfaces.

How to Mitigate CVE-2025-0111

Immediate Actions Required

  • Restrict management interface access to trusted IPs
  • Update PAN-OS to the latest secure version
  • Regularly monitor and audit user access logs

Patch Information

Updates and patches are available from Palo Alto Networks. Refer to the Vendor Advisory for details.

Workarounds

Restrict network access to the management interfaces to only trusted IP addresses as outlined in Palo Alto Networks best practice guidelines.

bash
# Configuration example
set network interface ethernet1/1 management-profile trusted
set deviceconfig system permitted-ip <trusted-ip-address>
commit force

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne