PatchSiren cyber security CVE debrief
CVE-2025-0110 Palo Alto Networks CVE debrief
A command injection vulnerability exists in the Palo Alto Networks PAN-OS OpenConfig plugin, affecting Siemens RUGGEDCOM APE1808 devices that incorporate this component. An authenticated administrator with gNMI request capabilities to the PAN-OS management web interface can bypass system restrictions and execute arbitrary commands as the '__openconfig' user, which holds Device Administrator privileges on the firewall. The vulnerability was published on November 22, 2024, and the advisory was last modified on June 10, 2025. This issue carries a HIGH severity CVSS score of 7.2. No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Palo Alto Networks
- Product
- RUGGEDCOM APE1808
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-11-22
- Original CVE updated
- 2025-06-10
- Advisory published
- 2024-11-22
- Advisory updated
- 2025-06-10
Who should care
Organizations operating Siemens RUGGEDCOM APE1808 devices with Palo Alto Networks Virtual NGFW deployments, particularly in critical infrastructure and industrial control system environments. Security teams responsible for OT/ICS network segmentation, firewall administrators managing PAN-OS instances, and compliance officers tracking CVE remediation for regulated industrial environments should prioritize assessment and mitigation. The vulnerability's HIGH severity and administrative access requirements make it particularly relevant for organizations with strict access control requirements and those subject to NERC CIP or similar industrial cybersecurity frameworks.
Technical summary
The vulnerability resides in the gNMI (gRPC Network Management Interface) request handling within the PAN-OS OpenConfig plugin. An authenticated administrator can inject arbitrary commands through crafted gNMI requests to the management web interface. The commands execute with the privileges of the '__openconfig' service account, which possesses Device Administrator role capabilities. This allows complete compromise of firewall configuration and underlying system access. The attack requires network access to the management interface and valid administrative credentials, with no user interaction required.
Defensive priority
HIGH
Recommended defensive actions
- Restrict access to the PAN-OS management web interface to trusted internal IP addresses only
- Apply vendor-provided security updates from Palo Alto Networks as referenced in Siemens security advisory SSA-354569
- Monitor gNMI request logs for anomalous administrative activity
- Implement network segmentation to isolate management interfaces from untrusted networks
- Review and validate administrative account permissions to enforce least privilege principles
Evidence notes
The vulnerability description and affected product information are derived from CISA CSAF advisory ICSA-24-338-02, which identifies Siemens RUGGEDCOM APE1808 as the affected product. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H confirms network attack vector with high privileges required. The advisory was initially published on 2024-11-22 and has undergone six revisions, with the most recent update on 2025-06-10 adding CVE-2025-0130 and CVE-2025-0137.
Official resources
-
CVE-2025-0110 CVE record
CVE.org
-
CVE-2025-0110 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-11-22