Pierluigi Paganini February 21, 2025

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Craft CMS and Palo Alto Networks PAN-OS vulnerabilities to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added SonicWall SonicOS and Palo Alto PAN-OS vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.

The two vulnerabilities are:

• CVE-2025-23209 Craft CMS Code Injection Vulnerability
• CVE-2025-0111 Palo Alto Networks PAN-OS File Read Vulnerability

Craft is a flexible, user-friendly CMS, affected by a code injection vulnerability, tracked as CVE-2025-23209 (CVSS score of 8.1), which could lead to remote code execution (RCE). The RCE affects Craft 4 and 5 installs where a user’s security key has already been compromised.

“This is an RCE vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised.” reads the advisory. “Anyone running an unpatched version of Craft with a compromised security key is affected.”

“If you can’t update to a patched version, then rotating your security key and ensuring its privacy will help to migitgate the issue.”

The second vulnerability added to the catalog by CISA is a file read issue in PAN-OS, tracked as CVE-2025-0111. An authenticated attacker with network access to the management web interface could exploit the flaw to read files that are readable by the “nobody” user.

This week, Palo Alto Networks warned that threat actors are chaining the vulnerability CVE-2025-0111 with two other vulnerabilities, tracked as CVE-2025-0108 with CVE-2024-9474, to compromise PAN-OS firewalls.

Palo Alto Networks addressed the flaw CVE-2025-0111 on February 12, 2025. A week later, the cybersecurity vendor updated its bulletin to warn that it is being exploited in the wild. Attackers are chaining them with the CVE-2025-0108 with CVE-2024-9474 issues.

“An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts. While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS.” reads the updated bulletin published by the vendor.

“Palo Alto Networks has observed exploit attempts chaining CVE-2025-0108 with CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces.” 

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by March 13, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)