CVE-2025-0134

The vulnerability is a code injection issue (CWE-94) in Palo Alto Networks Cortex XDR Broker VM [1]. An authenticated user with low privileges can exploit this flaw to execute arbitrary code with root privileges on the host operating system. The flaw exists because the Broker VM does not properly sanitize certain inputs, allowing injection of executable code [1].

The attack is possible over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N) [1]. The attacker needs only low privileges to the Broker VM instance [1]. While the direct product impact (confidentiality, integrity, availability) is rated LOW, the vulnerability allows subsequent impact at a HIGH level on the host system [1]. Palo Alto Networks is not aware of any malicious exploitation of this issue [1].

An attacker who successfully exploits this vulnerability could gain full root-level control of the host operating system running the Broker VM. This could lead to a complete compromise of the host, including access to all data and other processes running on that system [1]. The concentrated value density of the target asset makes this a serious threat despite the initial low privileges required [1].

The issue is fixed in Cortex XDR Broker VM version 26.0.119 and all later versions [1]. Customers who have enabled automatic upgrades for Broker VM are already protected. Those who have not are urged to enable automatic upgrades or manually apply the update. No workarounds or mitigations are available for this issue [1].