Palo Alto Networks warned that attackers are utilizing an exploit chain involving two lately disclosed vulnerabilities in its firewall administration interfaces.
On Tuesday, Palo Alto Networks disclosed exploitation exercise in an up to date safety advisory for an authenticated file learn vulnerability, tracked as CVE-2025-0111, within the vendor’s PAN-OS software program that was initially disclosed on Feb. 12. Palo Alto Networks rated the flaw as “highest” urgency degree and really helpful that clients disable web entry to the PAN-OS net administration interface.
The replace, printed one week after the preliminary disclosure, warned of exploitation exercise the place attackers chained CVE-2025-0111 with two different Palo Alto Networks vulnerabilities. The primary is one other lately disclosed vulnerability, tracked as CVE-2025-0108, that got here beneath assault as a zero-day. The second is an older, beforehand disclosed vulnerability tracked as CVE-2024-9474.
The latter was additionally exploited in zero-day assaults towards the safety vendor’s firewall administration interfaces in November. Nevertheless, it seems that some situations stay unpatched.
“Palo Alto Networks has noticed exploit makes an attempt chaining CVE-2025-0108 with CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS net administration interfaces,” the corporate wrote within the up to date safety advisory.
Informa TechTarget contacted Palo Alto Networks for remark relating to the assault scope. The safety vendor confirmed that it has noticed restricted exploitation right now and offered the next assertion:
Palo Alto Networks is urging clients to right away patch two vulnerabilities within the PAN-OS net administration interface — CVE-2025-0108 and CVE-2025-0111. These vulnerabilities might enable unauthorized entry to the administration interface of affected firewalls, probably resulting in system compromise. Exploitation makes an attempt for CVE-2025-0108, which has a publicly accessible proof-of-concept exploit, have been noticed chaining it with CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS net administration interfaces. We proceed to observe the state of affairs and leverage the at present operational mechanisms to detect buyer compromises in telemetry and TSFs and help them via the EFR remediations.
Palo Alto Networks added that clients ought to take speedy motion by downloading and putting in the most recent PAN-OS updates offered within the safety advisories for CVE-2025-0108 and CVE-2025-0111. The seller mentioned it couldn’t present patching charges for CVE-2024-9474 because of buyer safety considerations.
Palo Alto Networks credited safety researchers Émilio Gonzalez and Maxime Gaudreault, in addition to its personal Deep Product Safety Analysis Crew, for locating and reporting CVE-2025-0111. Final yr, Gonzalez known as out Palo Alto Networks in a submit to Mastodon for poor vulnerability disclosure round CVE-2024-0012, one other zero-day flaw that additionally affected the seller’s net administration interface. In one other Mastodon submit on Feb. 12, Gonzalez shared the advisory for CVE-2025-0111 and mentioned it was his first CVE and bug bounty.
CISA added CVE-2025-0111 to its Identified Exploited Vulnerabilities listing on Thursday, giving federal businesses a March 13 deadline to supply vendor mitigations.
Palo Alto Networks’ PAN-OS software program, the working system that runs the seller’s firewalls, has turn into a preferred goal for attackers over the previous yr. In November, attackers exploited CVE-2024-9474 and CVE-2024-0012 in zero-day assaults, which led to the compromise of a minimum of 2,000 PAN-OS administration interfaces.
In April, Palo Alto Networks confirmed that attackers exploited a command injection flaw, tracked as CVE-2024-3400, affecting its GlobalProtect gateway characteristic discovered within the vendor’s PAN-OS software program as effectively. Moreover, in January, Eclypsium researchers detailed a number of safety points they found in Palo Alto Networks’ firewall merchandise as assaults towards edge units rise.
Arielle Waldman is a information author for Informa TechTarget protecting enterprise safety.
