Google’s Project Zero and Mandiant cybersecurity teams have jointly published a proof-of-concept (PoC) exploit for a high-severity command injection vulnerability in Palo Alto Networks’ PAN-OS OpenConfig plugin. Tracked as CVE-2025-0110, the flaw allows authenticated administrators to execute arbitrary commands on firewalls via manipulated gNMI requests, escalating privileges to root access. Successful exploitation allows attackers to reconfigure firewalls, exfiltrate sensitive data, or deploy persistent backdoors like the UPSTYLE malware observed in prior PAN-OS campaigns. The disclosure follows Palo Alto Networks’ February 2025 patch release and highlights growing concerns about firewall exploitation chains in critical infrastructure. Palo Alto Networks confirmed active exploitation of this chained attack vector, with GreyNoise observing 26 malicious IPs targeting exposed management interfaces. Attackers exploiting this flaw can bypass security restrictions by injecting malicious commands into the type parameter of an XPATH query during syslog retrieval. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. CVE-2025-0110 resides in the PAN-OS OpenConfig plugin, which facilitates network device configuration via the gNMI protocol. While CVE-2025-0110 requires authentication, Google’s researchers emphasize its danger when combined with CVE-2025-0108, an authentication bypass flaw patched earlier this month. Patch Prioritization: Immediate installation of PAN-OS updates, particularly for firewalls with public management interfaces. Google’s disclosure aligns with its 90-day vulnerability disclosure policy, noting that patches were available prior to publication. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 21 Feb 2025 03:45:16 +0000