Photo credit: www.darkreading.com
Currently, attackers are taking advantage of a serious authentication bypass vulnerability in the Palo Alto Networks PAN-OS software. This flaw allows unauthenticated users to bypass necessary authentication controls and execute specific PHP scripts within the system.
The Cybersecurity Infrastructure and Security Agency (CISA), along with various cybersecurity experts, has issued warnings about the escalating assaults targeting this vulnerability, known as CVE-2025-0108. The issue was first documented in a blog post on February 12 by Searchlight Cyber AssetNote, labeling it a zero-day vulnerability. PAN-OS serves as the foundational operating system for Palo Alto’s firewall solutions, and this vulnerability affects several versions: PAN-OS v11.2, v11.1, v10.2, and v10.1. Palo Alto Networks has released patches to address this issue across all impacted versions.
Details about the patches can be found in Palo Alto’s security advisory related to CVE-2025-0108, which has been classified as having high severity, with a CVSS score of 8.8. Although exploiting this flaw does not allow for remote code execution, the company cautioned that it could severely compromise the integrity and confidentiality of PAN-OS, potentially enabling attackers to infiltrate vulnerable systems where other exploits may also be utilized.
Further analysis has shown that attackers are attempting to exploit CVE-2025-0108 alongside two additional vulnerabilities in the PAN-OS Web management interface, namely CVE-2024-9474 (a privilege escalation vulnerability) and CVE-2025-0111 (an authenticated file read vulnerability), particularly on systems that remain unpatched and unsecured.
Active Exploitation of Palo Alto Firewalls
A surge in attacks targeting compromised devices has been noted since the flaw’s disclosure. As of February 18, 25 malicious IP addresses were observed actively exploiting CVE-2025-0108, a significant increase from just two addresses the day after its public unveiling, according to data from GreyNoise. The United States, Germany, and the Netherlands are currently leading the list of countries from which these attacks are originating, as reported in a GreyNoise blog entry.
“Organizations using PAN-OS firewalls should be vigilant and assume that unpatched devices are at risk. Immediate actions must be taken to secure them,” Noah Stone, a lead analyst at GreyNoise Intelligence, stated.
The uptick in exploitation attempts has prompted CISA to include this vulnerability in its Known Exploited Vulnerabilities Catalog, and they strongly urged affected parties to implement available patches swiftly.
Why CVE-2025-0108 in PAN-OS Exists
The existence of this flaw can be attributed to a common architectural design found within PAN-OS. According to security researcher Adam Kues, this design enforces authentication at the proxy level but then processes requests in a manner that may behave inconsistently. Such architectures can lead to header smuggling and path confusion, which are often precursors to significant vulnerabilities.
Specifically, requests directed to the PAN-OS management interface are processed by three distinct components: Nginx, Apache, and the PHP application. The research has uncovered that authentication happens at the Nginx layer, relying on HTTP headers, but is then subjected to potentially different processing at the Apache level before passing to the PHP component.
“If Nginx’s perception of our request differs from that of Apache, this discrepancy can lead to an authentication bypass,” Kues elaborated.
The potential for exploitation is notably higher if configurations allow access to the management interface from the Internet or other untrusted networks, as Palo Alto highlighted in its advisory.
Eliminate Risk by Patching Auth Bypass Now
Due to the widespread deployment of Palo Alto’s network devices, vulnerabilities in their systems often attract swift attention from cybercriminals, underscoring the need for prompt mitigation of CVE-2025-0108. The unequivocal best way to avoid the risk of exploitation is to apply the recommended updates provided by Palo Alto Networks.
In addition, organizations can further mitigate risks by restricting access to the management interface exclusively to trusted internal IP addresses. Administrators can identify and remediate vulnerable assets by visiting the Assets section of the Palo Alto Customer Support Portal. Furthermore, it is advisable for organizations to whitelist IP addresses for management interface access to prevent potential exploit attempts from the Internet or similar external sources.
Source
www.darkreading.com