CVSS: 7.1EPSS: 4%CPEs: 4EXPL: 0CVE-2025-0111 – Palo Alto Networks PAN-OS File Read Vulnerability
https://notcve.org/view.php?id=CVE-2025-0111
12 Feb 2025 — An authenticated file read vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the “nobody” user. You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-am... • https://security.paloaltonetworks.com/CVE-2025-0111 • CWE-73: External Control of File Name or Path •
CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-0109 – PAN-OS: Unauthenticated File Deletion Vulnerability on the Management Web Interface
https://notcve.org/view.php?id=CVE-2025-0109
12 Feb 2025 — An unauthenticated file deletion vulnerability in the Palo Alto Networks PAN-OS management web interface enables an unauthenticated attacker with network access to the management web interface to delete certain files as the “nobody” user; this includes limited logs and configuration files but does not include system files. You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deplo... • https://security.paloaltonetworks.com/CVE-2024-0109 • CWE-73: External Control of File Name or Path •
CVSS: 9.4EPSS: 93%CPEs: 4EXPL: 6CVE-2025-0108 – Palo Alto Networks PAN-OS Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2025-0108
12 Feb 2025 — An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts. While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS. You can greatly reduce the risk of this issue by restricting access to the management web interface ... • https://github.com/iSee857/CVE-2025-0108-PoC • CWE-306: Missing Authentication for Critical Function •
CVSS: 8.3EPSS: 94%CPEs: 5EXPL: 11CVE-2024-9474 – Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2024-9474
18 Nov 2024 — A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. Cloud NGFW and Prisma Access are not impacted by this vulnerability. Una vulnerabilidad de escalada de privilegios en el software PAN-OS de Palo Alto Networks permite que un administrador de PAN-OS con acceso a la interfaz web de administración realice acciones en el firewall con privilegios de superusuar... • https://packetstorm.news/files/id/183312 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 94%CPEs: 4EXPL: 13CVE-2024-0012 – Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2024-0012
18 Nov 2024 — An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474 https://security.paloaltonetworks.com/CVE-2024-9474 . The risk of this issue is greatly reduced if you secure access to the management web interface by restricting acce... • https://packetstorm.news/files/id/183312 • CWE-306: Missing Authentication for Critical Function •
CVSS: 8.7EPSS: 0%CPEs: 4EXPL: 0CVE-2024-9472 – PAN-OS: Firewall Denial of Service (DoS) Using Specially Crafted Traffic
https://notcve.org/view.php?id=CVE-2024-9472
14 Nov 2024 — A null pointer dereference in Palo Alto Networks PAN-OS software on PA-800 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series hardware platforms when Decryption policy is enabled allows an unauthenticated attacker to crash PAN-OS by sending specific traffic through the data plane, resulting in a denial of service (DoS) condition. Repeated attempts to trigger this condition will result in PAN-OS entering maintenance mode. Palo Alto Networks VM-Series, Cloud NGFW, and Prisma Access are not affected. T... • https://security.paloaltonetworks.com/CVE-2024-9472 • CWE-476: NULL Pointer Dereference •
CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-0011 – PAN-OS: URL Category Exceptions Match More URLs Than Intended in URL Filtering
https://notcve.org/view.php?id=CVE-2022-0011
10 Feb 2022 — PAN-OS software provides options to exclude specific websites from URL category enforcement and those websites are blocked or allowed (depending on your rules) regardless of their associated URL category. This is done by creating a custom URL category list or by using an external dynamic list (EDL) in a URL Filtering profile. When the entries in these lists have a hostname pattern that does not end with a forward slash (/) or a hostname pattern that ends with an asterisk (*), any URL that starts with the sp... • https://security.paloaltonetworks.com/CVE-2022-0011 • CWE-436: Interpretation Conflict •
CVSS: 9.0EPSS: 0%CPEs: 7EXPL: 0CVE-2021-3061 – PAN-OS: OS Command Injection Vulnerability in the Command Line Interface (CLI)
https://notcve.org/view.php?id=CVE-2021-3061
10 Nov 2021 — An OS command injection vulnerability in the Palo Alto Networks PAN-OS command line interface (CLI) enables an authenticated administrator with access to the CLI to execute arbitrary OS commands to escalate privileges. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11-h2; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 10.1 versions earlier than PAN-OS 10.1.3. Prisma Access customer... • https://security.paloaltonetworks.com/CVE-2021-3061 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.3EPSS: 43%CPEs: 7EXPL: 2CVE-2021-3060 – PAN-OS: OS Command Injection in Simple Certificate Enrollment Protocol (SCEP)
https://notcve.org/view.php?id=CVE-2021-3060
10 Nov 2021 — An OS command injection vulnerability in the Simple Certificate Enrollment Protocol (SCEP) feature of PAN-OS software allows an unauthenticated network-based attacker with specific knowledge of the firewall configuration to execute arbitrary code with root user privileges. The attacker must have network access to the GlobalProtect interfaces to exploit this issue. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.20-h1; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14-h3; PAN-OS 9.1 versions ear... • https://github.com/anmolksachan/CVE-2021-3060 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •