Full Report
Palo Alto Networks has published [1] information on vulnerabilities in PAN-OS. This advisory lists the related Siemens Industrial products affected by these vulnerabilities. Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. Customers are advised to consult and implement the workarounds provided in Palo Alto Networks’ upstream security notifications. [1] https://security.paloaltonetworks.com/
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW on RUGGEDCOM APE1808
## CVE Details
- **CVE ID:** CVE-2025-4231, CVE-2025-4619, CVE-2025-0114, CVE-2024-3596, CVE-2024-5913, CVE-2024-5920, CVE-2024-9468, CVE-2024-9471, CVE-2023-48795
- **CVSS Score:** 9.1 (Critical)
- **CWE:** CWE-77 (Command Injection), CWE-754 (Improper Check for Unusual or Exceptional Conditions), and others.
## Affected Systems
- **Products:** Siemens RUGGEDCOM APE1808 (hosting Palo Alto Networks Virtual Next-Generation Firewall).
- **Versions:** All versions running PAN-OS before V11.1.4-h1.
- **Configurations:**
- Systems with GlobalProtect portal or gateway enabled.
- Systems configured with URL proxy or decryption policies.
- Systems using SSH with CHACHA20-POLY1305 or Encrypt-then-MAC (EtM) algorithms.
## Vulnerability Description
This advisory covers multiple flaws in the integrated Palo Alto Networks (PAN-OS) software:
- **Command Injection (CVE-2025-4231):** An authenticated attacker with network access to the management web interface can execute arbitrary OS commands with root privileges. This requires a "High" privilege level but results in a "Critical" impact due to scope change.
- **Denial of Service (CVE-2025-4619):** An unauthenticated attacker can trigger a firewall reboot by sending specially crafted packets through the dataplane. Repeated attacks force the device into maintenance mode.
- **Protocol Vulnerabilities:** Includes the "Terrapin" SSH attack (CVE-2023-48795) and RADIUS protocol flaws (CVE-2024-3596).
## Exploitation
- **Status:** Vulnerabilities are known; specific in-the-wild exploitation status for RUGGEDCOM units is not explicitly detailed, but upstream PAN-OS flaws are frequently targeted.
- **Complexity:** Low (for most CVEs listed).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Full system compromise via command injection).
- **Integrity:** High (Unauthorized system modifications).
- **Availability:** High (Device rendered inoperable or forced into maintenance mode).
## Remediation
### Patches
- **Upgrade to Palo Alto Networks Virtual NGFW V11.1.4-h1.**
- Customers should contact Siemens customer support to receive specific patch and update information for the RUGGEDCOM APE1808.
### Workarounds
- **Management Interface:** Limit access to the management web interface to trusted internal IP addresses only.
- **RADIUS Security:** Configure RADIUS servers to require the `Message-Authenticator` attribute and isolate RADIUS traffic to a management VLAN.
- **SSH Hardening:** Configure SSH profiles to exclude CHACHA20-POLY1305 and any MAC algorithms ending in `-etm`.
## Detection
- **Indicators of Compromise:** Monitor for unexpected reboots or the device entering "maintenance mode" unexpectedly. Watch for unauthorized command execution in management logs.
- **Detection methods:** Inspect network traffic for malformed dataplane packets and monitor management interface login attempts from untrusted IPs.
## References
- Siemens Security Advisory: hxxps://cert-portal.siemens.com/productcert/html/ssa-364175.html
- Palo Alto Networks Security Advisories: hxxps://security.paloaltonetworks.com/
- RSS Feed for PANW Alerts: hxxps://security.paloaltonetworks.com/rss.xml