[Palo Alto Networks Security Advisories] CVE-2025-2180 Checkov by Prisma Cloud: Unsafe Deserialization of Terraform FilesAllows Code Execution

Palo Alto Networks Security Advisories /CVE-2025-2180

CVE-2025-2180 Checkov by Prisma Cloud: Unsafe Deserialization of Terraform Files Allows Code Execution

UrgencyMODERATE

Severity1.1 ·LOW

Exploit MaturityUNREPORTED

Response EffortMODERATE

RecoveryUSER

Value DensityDIFFUSE

Attack ComplexityLOW

Attack RequirementsNONE

AutomatableNO

User InteractionPASSIVE

Product ConfidentialityNONE

Product IntegrityLOW

Product AvailabilityNONE

Privileges RequiredNONE

Subsequent ConfidentialityLOW

Subsequent IntegrityLOW

Subsequent AvailabilityLOW

CVE JSON CSAF

Published2025-08-13

Updated2025-08-13

ReferenceBCE-44235

Discoveredexternally

Description

An unsafe deserialization vulnerability in Palo Alto Networks Checkov by Prisma® Cloud allows an authenticated user to execute arbitrary code as a non administrative user by scanning a malicious terraform file when using Checkov in Prisma® Cloud.

This issue impacts Checkov 3.0 versions earlier than Checkov 3.2.415.

Product Status

Versions	Affected	Unaffected
Checkov by Prisma Cloud 3.2.0	< 3.2.415	>= 3.2.415

Required Configuration for Exposure

No special configuration is required to be vulnerable to this issue.

Severity:LOW, Suggested Urgency:MODERATE

If the user scans infrastructure as code (IaC) files from untrusted sources.
LOW– CVSS-BT: 1.1 /CVSS-B: 4.8 (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:U/AU:N/R:U/V:D/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type and Impact

CWE-502 Deserialization of Untrusted Data

CAPEC-248 Command Injection

Solution

Version	Minor Version	Suggested Solution
Checkov by Prisma Cloud 3.2	3.2.0 through 3.2.414	Upgrade to 3.2.415 or later.

Workarounds and Mitigations

Do not run Checkov on terraform files from untrusted sources or pull requests.

Acknowledgments

Palo Alto Networks thanks Bryan Eastes for discovering and reporting this issue.

CPE Applicability

cpe:2.3:a:palo_alto_networks:checkov_by_prisma_cloud:*:*:*:*:*:*:*:* is vulnerable from (including)3.2.0 and up to (excluding)3.2.415

Timeline

2025-08-13Initial publication

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: CVE, OSINT, threatintel