CVE-2025-0111 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-02-12

Added to CISA KEV: 2025-02-20 8 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Immediately upgrade to patched versions: 10.1.14-h9+, 10.2.13-h3+, 11.1.6-h1+, or 11.2.4-h4+
Restrict management interface access to trusted internal IP addresses only
Enable Threat Prevention signatures (Threat ID 510000 and 510001) if available
Monitor management interface access logs for suspicious activity
Patch priority: CRITICAL - immediate patching required due to active exploitation

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-0111 is an authenticated file read vulnerability affecting the management web interface of Palo Alto Networks PAN-OS software ^[4]. It has been assigned a CVSS score of 7.1 (HIGH) ^[6].

Active Exploitation and Threat Actor Usage

Active Exploitation: The vulnerability has been observed being exploited in the wild ^[5].
Exploit Chaining: Threat actors have been observed chaining CVE-2025-0111 with other vulnerabilities, specifically CVE-2025-0108 and CVE-2024-9474, to conduct attacks against unpatched and unsecured PAN-OS web management interfaces ^[1]. This chain is used to escalate privileges, as the other vulnerabilities in the chain can grant root access ^[5].

Attack Method and Requirements

Access Requirements: The attacker must have network access to the management web interface ^[7].
Authentication: The vulnerability requires the attacker to be authenticated to the management interface ^[4].
Method: Successful exploitation allows an attacker to read files on the PAN-OS filesystem that are readable by the "nobody" user ^[6].

Impact and Access

Impact: Exploitation provides unauthorized access to sensitive information stored on the system ^[3].
Data Accessible: Attackers can potentially read configuration files, logs, or credential stores that are accessible to the "nobody" service account ^[3].

Patch and Mitigation Status

Status: Palo Alto Networks released fixes for this vulnerability in February 2025 ^[1].
Mitigation: Administrators are advised to ensure their PAN-OS software is updated to the patched versions. Additionally, restricting access to the management web interface to trusted internal networks is a recommended security practice to reduce exposure ^[2].

Sources

Palo Alto PAN-OS Firewall Flaw CVE-2025-0111 Used in Exploit Chaining ...
Despite fixes also being released for CVE-2025-0111 in February 2025, Palo Alto updated a previously distributed advisory after observing threat actors chaining it with CVE-2025-0108 and CVE-2024-9474 in exploit attempts on unpatched and unsecured PAN-OS web management interfaces.
reduce exposure to PAN-OS vulnerabilities like CVE-2025-0111
CVE-2025-0111 is an authenticated file read vulnerability that affects the firewall's management interface. The primary risk is when this ...
Breaking Down Palo Alto Networks PAN-OS Vulnerability - Armis
CVE-2025-0111 allows reading of configuration files, logs, or credential stores that are accessible to the “nobody” service account. For example ...
CVE-2025-0111 PAN-OS: Authenticated File Read Vulnerability in ...
An authenticated file read vulnerability in the management web interface of the Palo Alto Networks PAN-OS software enables an authenticated attacker with ... Learn how an attacker can exploit a file read vulnerability in the management web interface of Palo Alto Networks PAN-OS software to access re…
Palo Alto Networks tags new firewall bug as exploited in attacks
CVE-2025-0111 is a file read vulnerability in PAN-OS that allows authenticated attackers to read sensitive files. It is being chained with CVE-2025-0108 and CVE-2024-9474, two other flaws that grant root privileges, in active attacks.
NVD - CVE-2025-0111
An authenticated attacker can read files on the PAN-OS filesystem that are readable by the “nobody” user. This issue affects some versions of Palo Alto Networks PAN-OS software and has a CVSS score of 7.1 (HIGH).
CVE-2025-0111 Detail - NVD
An authenticated file read vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker with network access to the management web ...

🔴 CVE-2025-0111