CVE-2025

CVE-2025-0107 is an OS command injection flaw (CWE-78) in Palo Alto Networks’ Expedition, the tool used to migrate firewall configurations into PAN-OS. The vulnerability was disclosed on 7 January 2025 and is caused by insufficient sanitization of special characters in operating-system command inputs, allowing attackers to inject malicious input. The attack vector is network-based (CAPEC-88) and enables unauthenticated remote code execution as the www-data user (the default Apache web-server user on Linux).

CVE-2025-0108 is an authentication bypass vulnerability in the management web interface of Palo Alto Networks PAN-OS, disclosed on February 12, 2025. It allows an unauthenticated attacker with network access to circumvent the login process and invoke certain PHP scripts, thus compromising system integrity and confidentiality.

CVE-2025-8286 affects the Güralp FMUS series seismic monitoring devices, exposing an unauthenticated Telnet-based command-line interface that could allow an attacker to modify hardware configurations, manipulate data, or factory reset the device.

The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to modify the default_user_role to administrator and users_can_register, allowing them to register as an administrator of the site for complete site takeover.