PatchSiren cyber security CVE debrief
CVE-2025-0109 Palo Alto Networks CVE debrief
CVE-2025-0109 is a medium-severity unauthenticated file deletion vulnerability affecting the Palo Alto Networks PAN-OS management web interface. Published on 2024-11-22 and last modified on 2025-06-10, this vulnerability enables an unauthenticated attacker with network access to the management web interface to delete certain files as the 'nobody' user. The impact is limited to specific logs and configuration files; system files are not affected. The vulnerability is present in Siemens RUGGEDCOM APE1808 devices that incorporate Palo Alto Networks Virtual NGFW. The CVSS 3.1 score of 5.3 reflects network attack vector with low attack complexity, no privileges required, and low integrity impact with no confidentiality or availability impact. This CVE was added to the CISA ICS advisory ICSA-24-338-02 on 2025-02-19 as part of revision 1.2, which also added related CVEs CVE-2025-0108, CVE-2025-0110, and CVE-2025-0111. The advisory has undergone multiple revisions, with the most recent on 2025-06-10 adding additional CVEs.
- Vendor
- Palo Alto Networks
- Product
- RUGGEDCOM APE1808
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-11-22
- Original CVE updated
- 2025-06-10
- Advisory published
- 2024-11-22
- Advisory updated
- 2025-06-10
Who should care
Organizations operating Siemens RUGGEDCOM APE1808 devices with Palo Alto Networks Virtual NGFW, particularly in industrial control system (ICS) and operational technology (OT) environments. Security teams responsible for firewall management interfaces and network segmentation should prioritize this vulnerability. Organizations subject to CISA ICS security guidance should review recommended practices for defense-in-depth strategies.
Technical summary
An unauthenticated file deletion vulnerability exists in the Palo Alto Networks PAN-OS management web interface. An attacker with network access to the management web interface can delete certain files as the 'nobody' user, including limited logs and configuration files. System files are not affected. The vulnerability has a CVSS 3.1 score of 5.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. Affected products include Siemens RUGGEDCOM APE1808 with Palo Alto Networks Virtual NGFW. Remediation involves upgrading to Virtual NGFW V11.1.8 and restricting management interface access to trusted internal IP addresses.
Defensive priority
medium
Recommended defensive actions
- Limit access to the PAN-OS management web interface to trusted internal IP addresses to reduce exposure
- Upgrade Palo Alto Networks Virtual NGFW to version 11.1.8; contact customer support to receive patch and update information
- Monitor for unauthorized file deletions in logs and configuration directories accessible to the 'nobody' user
- Review network segmentation to ensure management interfaces are not exposed to untrusted networks
- Apply defense-in-depth practices for industrial control systems as recommended by CISA
Evidence notes
CVE description and vendor attribution derived from CISA CSAF source ICSA-24-338-02. CVSS vector confirms network-based unauthenticated attack with limited integrity impact. Remediation guidance specifies upgrade to Palo Alto Networks Virtual NGFW V11.1.8.
Official resources
-
CVE-2025-0109 CVE record
CVE.org
-
CVE-2025-0109 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-11-22