Palo Alto Networks has addressed a high-severity authentication bypass vulnerability (CVE-2025-0108) in the management web interface of its next-generation firewalls. Although the company states it has not observed malicious exploitation, threat intelligence firm GreyNoise has detected active exploitation attempts in the wild, raising concerns for organizations using PAN-OS.
The vulnerability allows unauthenticated attackers to execute specific PHP scripts on the firewall’s management interface. While this does not grant remote code execution (RCE), Palo Alto Networks confirms that exploitation could impact the integrity and confidentiality of PAN-OS.
The flaw was discovered by researchers at Assetnote, who initially analyzed patches for two previously exploited vulnerabilities—CVE-2024-0012 and CVE-2024-9474. Attackers had leveraged these flaws in November 2024 to compromise over 2,000 PAN firewalls.
“As we looked further into the architecture of the management interface, we suspected something was off, even post-patch,” explained Assetnote researcher Adam Kues.
A closer examination revealed exploitable discrepancies in how three key components—Nginx, Apache, and the PHP application—handle web requests to the firewall’s management interface. This discovery led to the identification of CVE-2025-0108.
Assetnote’s CTO, Shubham Shah, clarified that this is a distinct security flaw, though it stems from similar architectural design choices that contributed to past vulnerabilities.
A proof-of-concept (PoC) exploit for CVE-2025-0108 has been publicly released, making it easier for threat actors to target unpatched systems.
Shortly after disclosure, GreyNoise, which tracks malicious internet activity, observed active exploitation attempts aimed at this vulnerability. This suggests attackers are already probing vulnerable Palo Alto Networks firewalls, likely to gain unauthorized access.
Palo Alto Networks has released patches to address the vulnerability in the following PAN-OS versions:
- 11.2.4-h4 and later
- 11.1.6-h1 and later
- 10.2.13-h3 and later
- 10.1.14-h9 and later
Organizations using PAN-OS are urged to apply security patches immediately to mitigate the risk. Additionally, security teams should take proactive steps to protect their environments:
- Restrict access to firewall management interfaces, ensuring they are not publicly exposed.
- Monitor for signs of exploitation using logs and threat intelligence tools.
- Review past security advisories to identify potential misconfigurations stemming from previous vulnerabilities.
Related Posts:
- CVE-2025-0108 & CVE-2025-0110: Palo Alto Networks Fixes High-Severity PAN-OS Vulnerabilities
- Palo Alto Networks Investigates Potential Remote Code Execution Vulnerability in PAN-OS
- Palo Alto Networks Raises Alarm on Firewall Vulnerability Following Active Exploitation
- CVE-2024-3393: PAN-OS Vulnerability Now Exploited in the Wild
- CISA Warns of Actively Exploited Palo Alto Firewall Flaw (CVE-2024-3393)
