An authentication bypass flaw in Palo Alto Networks’ PAN-OS software program has been exploited within the wild, the safety vendor confirmed Monday.
CVE-2025-0108 is an authentication bypass vulnerability in PAN-OS, the working system that runs Palo Alto Networks firewalls. The flaw, which has a CVSS 4.0 rating of 8.8, was first disclosed on Feb. 12 with its discovery credited to Assetnote safety researcher Adam Kues.
In line with Palo Alto Networks’ safety advisory, the vulnerability “allows an unauthenticated attacker with community entry to the administration internet interface to bypass the authentication in any other case required by the PAN-OS administration internet interface and invoke sure PHP scripts.” The seller mentioned invoking PHP scripts doesn’t allow distant code execution, however “can negatively affect integrity and confidentiality of PAN-OS.”
Affected PAN-OS variations embrace these previous to — however not together with — PAN-OS 11.2.4-h4, PAN-OS 11.1.6-h1, PAN-OS 10.2.13-h3 and PAN-OS 10.1.14-h9. Prisma Entry and Cloud NGFW cases are unaffected, the seller mentioned. Upgrades can be found now for the aforementioned variations of PAN-OS, and the seller recommends clients improve to a supported model. For purchasers utilizing PAN-OS 11.0, no repair is deliberate as a result of the software program reached end-of-life standing in November.
There are, nevertheless, extra workarounds and mitigations. Palo Alto Networks mentioned clients can scale back danger by “proscribing entry to the administration internet interface to solely trusted inside IP addresses in keeping with our really helpful finest practices deployment tips.” Clients with the best danger are these with their administration interfaces uncovered to the web and people who have enabled entry to any untrusted community.
Palo Alto Networks up to date its advisory Tuesday morning to state that it has seen exploitation makes an attempt within the wild utilizing a proof-of-concept exploit.
“A proof of idea (PoC) exploit is publicly obtainable for CVE-2025-0108. Palo Alto Networks has noticed exploit makes an attempt that make the most of the PoC, chaining it with the exploit for CVE-2024-9474 on unpatched and unsecured PAN-OS internet administration interfaces,” the seller mentioned.
Palo Alto Networks appeared to reference analysis from Assetnote’s Kues printed on Feb. 12, explaining in important technical element how CVE-2025-0108 works. CVE-2024-9474 is one other PAN-OS zero-day disclosed final fall.
A GreyNoise scan has noticed 26 distinctive IP addresses try to use CVE-2025-0108 within the wild at press time. A scan from safety nonprofit Shadowserver Basis reveals roughly 3,300 PAN-OS administration interfaces uncovered to the web as of Feb. 18.
A spokesperson for GreyNoise mentioned in an e mail that researchers noticed exploitation efforts “inside hours” after the PoC was launched.
Informa TechTarget requested Palo Alto Networks for touch upon the assault timeline surrounding CVE-2025-0108, however the vendor declined to supply extra data. A spokesperson, nevertheless, provided the next assertion:
The safety of our clients is our prime precedence. Palo Alto Networks has confirmed reviews of energetic exploitation focusing on a vulnerability (CVE-2025-0108) within the PAN-OS internet administration interface. This vulnerability, chained with different vulnerabilities like CVE-2024-9474, may permit unauthorized entry to unpatched and unsecured firewalls.
We’re urging all clients with internet-facing PAN-OS administration interfaces to right away apply the safety updates launched on February 12, 2025. Securing external-facing administration interfaces is a elementary safety finest observe, and we strongly encourage all organizations to overview their configurations to reduce danger.
Detailed data and mitigation steerage can be found within the CVE-2025-0108 safety advisory.
A spokesperson for Assetnote mentioned the corporate doesn’t have timing on when exploitation makes an attempt started as a result of they do not supply risk intelligence providers. The spokesperson supplied the next assertion on Assetnote’s analysis:
For some context, we found this vulnerability, reported it to Palo Alto, and labored with them to set a coordinated public disclosure date. We carry out this zero-day analysis so we are able to operationalize it via our platform for our clients. Refined attackers (usually ransomware teams) search comparable assault vectors, so we see this as the easiest way to preemptively shut these gaps. We disclose these findings to distributors so we are able to work with them to remediate the problem within the product itself. Our clients additionally get privately notified of those safety vulnerabilities early via platform findings so that they know what and learn how to mitigate. No matter our analysis articles, we see opportunistic attackers weaponize exploits by simply reverse engineering patches throughout quite a few distributors. We launch our analysis in order that extra defenders in the neighborhood can perceive the problem and detect it.
Alexander Culafi is a senior data safety information author and podcast host for Informa TechTarget.
