https://live.paloaltonetworks.com/t5/advanced-threat-prevention/reduce-exposure-to-pan-os-vulnerabilities-like-cve-2025-0111/m-p/1235954#M2466 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/871573355">@tofu159mac</a>&nbsp;,</P> <P>&nbsp;</P> <P><SPAN class="citation-50">In a lot of cases following best practices will provide you a lot of protection.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN class="citation-49 citation-end-49">CVE-2025-0111 is an authenticated file read vulnerability that affects the firewall's management interface.</SPAN> <SPAN class="citation-48 citation-end-48">The primary risk is when this interface is accessible from external or untrusted networks.&nbsp;&nbsp;</SPAN><SPAN>You greatly reduce the risk if you ensure that you allow only trusted internal IP addresses to access the management interface.</SPAN></P> <DIV class="source-inline-chip-container ng-star-inserted">This can be done by configuring a management profile on the management interface or any data plane interface that has management access enabled. The profile should only allow access from specific trusted internal subnets or a dedicated jump host.&nbsp;&nbsp;Also ensure that you do not have any security policies that allow traffic from the <STRONG>untrust</STRONG> zone to the management IP address. <SPAN class="citation-45 citation-end-45">If the management interface is exposed to the internet, your risk is at its highest.</SPAN></DIV> <P>&nbsp;</P> <P>I strongly recommend subscribing to Palo Alto Networks' security advisories for recommendations/updates on CVE's like the one you mentioned:</P> <P><A href="https://security.paloaltonetworks.com/CVE-2025-0111" target="_blank">https://security.paloaltonetworks.com/CVE-2025-0111</A></P> <P>&nbsp;</P> <P>Kind regards,</P> <P>Kim.</P> Wed, 13 Aug 2025 14:56:14 GMT kiwi 2025-08-13T14:56:14Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/reduce-exposure-to-pan-os-vulnerabilities-like-cve-2025-0111/m-p/1235882#M2465 <P>Hello,</P> <P>&nbsp;</P> <P>What immediate steps should network admins take to reduce exposure to PAN-OS vulnerabilities like CVE-2025-0111 when no official patch is yet available?</P> Wed, 13 Aug 2025 04:44:57 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/reduce-exposure-to-pan-os-vulnerabilities-like-cve-2025-0111/m-p/1235882#M2465 tofu159mac 2025-08-13T04:44:57Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/reduce-exposure-to-pan-os-vulnerabilities-like-cve-2025-0111/m-p/1235954#M2466 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/871573355">@tofu159mac</a>&nbsp;,</P> <P>&nbsp;</P> <P><SPAN class="citation-50">In a lot of cases following best practices will provide you a lot of protection.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN class="citation-49 citation-end-49">CVE-2025-0111 is an authenticated file read vulnerability that affects the firewall's management interface.</SPAN> <SPAN class="citation-48 citation-end-48">The primary risk is when this interface is accessible from external or untrusted networks.&nbsp;&nbsp;</SPAN><SPAN>You greatly reduce the risk if you ensure that you allow only trusted internal IP addresses to access the management interface.</SPAN></P> <DIV class="source-inline-chip-container ng-star-inserted">This can be done by configuring a management profile on the management interface or any data plane interface that has management access enabled. The profile should only allow access from specific trusted internal subnets or a dedicated jump host.&nbsp;&nbsp;Also ensure that you do not have any security policies that allow traffic from the <STRONG>untrust</STRONG> zone to the management IP address. <SPAN class="citation-45 citation-end-45">If the management interface is exposed to the internet, your risk is at its highest.</SPAN></DIV> <P>&nbsp;</P> <P>I strongly recommend subscribing to Palo Alto Networks' security advisories for recommendations/updates on CVE's like the one you mentioned:</P> <P><A href="https://security.paloaltonetworks.com/CVE-2025-0111" target="_blank">https://security.paloaltonetworks.com/CVE-2025-0111</A></P> <P>&nbsp;</P> <P>Kind regards,</P> <P>Kim.</P> Wed, 13 Aug 2025 14:56:14 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/reduce-exposure-to-pan-os-vulnerabilities-like-cve-2025-0111/m-p/1235954#M2466 kiwi 2025-08-13T14:56:14Z