CVE-2025-0110 PAN-OS OpenConfig Plugin: Command Injection Vulnerability in OpenConfig Plugin
Description
A command injection vulnerability in the Palo Alto Networks PAN-OS OpenConfig plugin enables an authenticated administrator with the ability to make gNMI requests to the PAN-OS management web interface to bypass system restrictions and run arbitrary commands. The commands are run as the “__openconfig” user (which has the Device Administrator role) on the firewall.
You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines.Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| PAN-OS OpenConfig Plugin | < 2.1.2 | >= 2.1.2 |
Required Configuration for Exposure
Your PAN-OS software is vulnerable to this issue only if you enabled the OpenConfig plugin.
- OpenConfig plugin version 2.0.1 or later is installed automatically on PAN-OS version 11.0.4 and all later PAN-OS versions.
- OpenConfig plugin version 2.0.2 or later is installed automatically on PAN-OS version 10.2.11 and later PAN-OS 10.2 versions.
The OpenConfig plugin is accessible to administrators on the PAN-OS management interface on port 9339.
Follow these steps to check the version of the OpenConfig plugin that you are using:
- Select Device > Plugin
- Check the version of the OpenConfig plugin that has a checkmark indicating that it is Currently Installed.
Severity: HIGH, Suggested Urgency: MODERATE
The risk is highest when you allow access to the management interface from external IP addresses on the internet.
CVSS-BT:
7.3 /
CVSS-B:
8.6 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/AU:N/R:U/V:C/RE:M/U:Amber)
You can reduce the risk of exploitation by restricting access to a jump box that is the only system allowed to access the management interface. This will ensure that attacks can succeed only if they obtain privileged access through those specified IP addresses.
CVSS-BT:
6.6 /
CVSS-B:
7.5 (CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/AU:N/R:U/V:C/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Solution
This issue is fixed in PAN-OS OpenConfig plugin 2.1.2 and all later PAN-OS OpenConfig plugin versions. You can update the OpenConfig plugin without updating your PAN-OS version by following our process for upgrading Panorama plugins.
OpenConfig Plugin 2.1.2 is available by default on PAN-OS 11.2.5 and all later PAN-OS versions.
Workarounds and Mitigations
Recommended mitigation—The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our best practices deployment guidelines. Specifically, you should restrict management interface access to only trusted internal IP addresses.
Review information about how to secure management access to your Palo Alto Networks firewalls:
- Palo Alto Networks LIVEcommunity article:https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431
- Palo Alto Networks official and detailed technical documentation:https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices
- Select Device > Plugins.
- Locate the installed OpenConfig plugin.
- Remove Config to disable the OpenConfig plugin
OR
Uninstall the OpenConfig plugin.
