Command Injection Flaw in Palo Alto PAN-OS Allows Root-Level Code Execution

A newly disclosed command injection vulnerability (CVE-2025-4230) in Palo Alto Networks PAN-OS software enables authenticated administrators to bypass restrictions and execute arbitrary commands with root privileges.

With a CVSS v4.0 score of 5.7 (Medium severity), this flaw highlights risks in privileged access management for network security appliances.

Vulnerability Overview and Attack Vector

The vulnerability stems from improper neutralization of special elements in OS commands (CWE-78), allowing authenticated admins to exploit the PAN-OS CLI for command injection (CAPEC-248).

Attackers with CLI access can escalate privileges to root, enabling:

• Arbitrary file system modifications
• Unauthorized service disruptions
• Lateral network movement

The attack vector is local (AV:L in CVSS 4.0), requiring high privileges (PR:H) but no user interaction (UI:N).

Despite its medium severity, the impact scores for confidentiality, integrity, and availability are all HIGH (VC:H/VI:H/VA:H).

Affected Products and ...