Informational Bulletin: OSS CVEs Fixed in PAN-OS
Low Risk0PAN-SA-2025-0012Jul 9, 2025
Palo Alto Networks
IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries
Summary
Palo Alto Networks has identified and fixed open source software (OSS) CVEs in PAN-OS. The vendor determined these CVEs do not have significant operational impact on PAN-OS, but patches are being provided out of an abundance of caution. The specific OSS vulnerabilities and their fixed versions are detailed in the advisory.
What this means
What could happen
This advisory addresses open source software vulnerabilities that were fixed in PAN-OS as a precaution. Palo Alto Networks determined these CVEs do not have significant impact on PAN-OS operations, but patches are available.
Who's at risk
Organizations running Palo Alto Networks PAN-OS firewalls should be aware of these OSS CVE fixes. While not confirmed to have operational impact on firewall security functions, firmware updates are available for organizations that want to maintain the most current patches.
How it could be exploited
Based on Palo Alto Networks' assessment, exploitation of these OSS vulnerabilities through PAN-OS is not anticipated to occur due to the way the vulnerable code is used or mitigated in the product.
Prerequisites
- Access to PAN-OS devices
- Exploitation would require specific conditions that Palo Alto Networks determined are not met in typical PAN-OS deployments
Open source software supply chain riskPatched vulnerabilities in bundled dependencies
Remediation & Mitigation
0/2
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXPlan firmware updates to the latest PAN-OS version during scheduled maintenance windows to apply available OSS fixes
Long-term hardening
0/1HARDENINGReview the detailed CVE list in the advisory and check if any affected OSS versions are relevant to your environment
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/bfaa41a4-1472-4965-aead-c5034645a4edGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.