Google’s Project Zero and Mandiant cybersecurity teams have jointly published a proof-of-concept (PoC) exploit for a high-severity command injection vulnerability in Palo Alto Networks’ PAN-OS OpenConfig plugin.
Tracked as CVE-2025-0110, the flaw allows authenticated administrators to execute arbitrary commands on firewalls via manipulated gNMI requests, escalating privileges to root access.
The disclosure follows Palo Alto Networks’ February 2025 patch release and highlights growing concerns about firewall exploitation chains in critical infrastructure.
CVE-2025-0110 resides in the PAN-OS OpenConfig plugin, which facilitates network device configuration via the gNMI protocol.
Attackers exploiting this flaw can bypass security restrictions by injecting malicious commands into the type parameter of an XPATH query during syslog retrieval. For example, the PoC demonstrates embedding $(echo system > file1; cat file1) into the query to execute bash commands.
bash./gnmic -a :9339 -u admin --password= --skip-verify
--path 'pan-logging:/pan/logging/query/custom[type=$(echo system > file1; cat file1)]'
Successful exploitation allows attackers to reconfigure firewalls, exfiltrate sensitive data, or deploy persistent backdoors like the UPSTYLE malware observed in prior PAN-OS campaigns.
Exploit Chain Risks
While CVE-2025-0110 requires authentication, Google’s researchers emphasize its danger when combined with CVE-2025-0108, an authentication bypass flaw patched earlier this month. Threat actors could chain these vulnerabilities to:
- Bypass login controls via CVE-2025-0108’s PHP script exploitation.
- Escalate privileges using CVE-2025-0110 to gain root access.
- Deploy ransomware or espionage tools, as seen in November 2024 attacks leveraging CVE-2024-9474.
Palo Alto Networks confirmed active exploitation of this chained attack vector, with GreyNoise observing 26 malicious IPs targeting exposed management interfaces.
Palo Alto Networks released fixed OpenConfig plugin versions (≥2.1.2) on February 12, 2025, urging customers to:
- Apply patches immediately (PAN-OS 11.2.4-h4, 11.1.6-h1, etc.).
- Restrict management interface access to trusted IPs.
- Disable OpenConfig if unused.
Google’s disclosure aligns with its 90-day vulnerability disclosure policy, noting that patches were available prior to publication. However, Shadowserver Foundation reports over 3,500 internet-exposed PAN-OS interfaces remain unsecured as of February 21.
- Patch Prioritization: Immediate installation of PAN-OS updates, particularly for firewalls with public management interfaces.
- Network Segmentation: Enforce zero-trust policies to isolate firewall management planes.
- Threat Hunting: Monitor for anomalous gNMI requests or unexpected cron job creation, indicators of UPSTYLE backdoor activity.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here