Gafgyt aka Bashlite Malware – Active IOCs
June 28, 2025Gafgyt aka Bashlite Malware – Active IOCs
June 28, 2025Severity
High
Analysis Summary
A recently disclosed vulnerability in Palo Alto Networks’ PAN-OS, identified as CVE-2025-4230, exposes enterprise firewall environments to significant security risks. This command injection flaw (CWE-78) allows authenticated administrators with CLI access to execute arbitrary commands with root-level privileges, effectively compromising system integrity. The vulnerability was publicly disclosed on June 11, 2025, and while it requires valid admin credentials to exploit, thus reducing the attack surface, the implications are severe in multi-admin environments where credentials may be misused or compromised.
The vulnerability stems from improper input validation in the PAN-OS command-line interface (CLI), allowing attackers to inject malicious OS commands using specially crafted inputs. By exploiting this insufficient sanitization, attackers can append or manipulate commands executed by the underlying OS, following the CAPEC-248 attack pattern. Although PAN-OS’s affected components reside behind authentication layers, any user with CLI-level admin privileges can trigger the exploit, making internal threats or credential compromise scenarios particularly dangerous.
Affecting PAN-OS versions 11.2 (before 11.2.6), 11.1 (before 11.1.10), 10.2 (before 10.2.14), and 10.1 (before 10.1.14-h15), the vulnerability is rated with a CVSS 3.1 score of 5.7 (Medium). While it requires local access and high privileges, the potential impact on confidentiality, integrity, and availability is high. Fortunately, Palo Alto Networks' Cloud NGFW and Prisma Access platforms are unaffected, likely due to different underlying architectures or added cloud-native security layers. Importantly, no special configurations are needed for exploitation, meaning even default installations are at risk.
Remediation requires immediate patching, as no workarounds or mitigations are available. Organizations should upgrade to the fixed versions: PAN-OS 11.2.6, 11.1.10, 10.2.14, or 10.1.14-h15. Additionally, it is strongly recommended to restrict CLI access to essential personnel only, further minimizing potential abuse. Though Palo Alto Networks reports no known active exploitation, the vulnerability’s nature demands proactive security measures. The discovery by Visa Inc. underscores the importance of private-sector collaboration in securing critical infrastructure technologies.
Impact
- Gain Access
Indicators of Compromise
CVE
CVE-2025-4230
Affected Vendors
Affected Products
- PAN-OS 11.2 versions prior to 11.2.6
- PAN-OS 11.1 versions before 11.1.10
- PAN-OS 10.2 versions earlier than 10.2.14
- PAN-OS 10.1 versions before 10.1.14-h15
Remediation
- Apply patches immediately, as no workarounds or mitigations are available.
- Restrict CLI access strictly to essential administrative users only.
- Review and audit existing administrator accounts to ensure only trusted personnel have CLI privileges.
- Monitor system logs for unusual or unauthorized command executions via the CLI.
- Educate administrative users about secure CLI usage and potential risks of command injection.
- Ensure multi-factor authentication (MFA) is enabled for administrator accounts to reduce credential compromise risks.
- Conduct regular vulnerability assessments on PAN-OS devices to identify configuration or access control weaknesses.