Palo Alto Networks recently addressed an authentication bypass vulnerability (CVE-2025-0108) affecting its PAN-OS firewall management web interface. This vulnerability enables an unauthenticated attacker with network access to access the management web interface to bypass its required authentication controls and execute specific PHP scripts. This could potentially lead to compromised integrity and confidentiality.
The vulnerability stems from architectural weaknesses in PAN-OS, path confusion, and inconsistent request handling between Nginx and Apache components, leading to authentication bypass. Security researchers from the Assetnote Security Research Team, who discovered and reported this vulnerability, also created a blog post to provide more details about the vulnerability and its PoC. Palo Alto has confirmed that his flaw doesn’t directly allow RCE but can still compromise integrity and confidentiality.
Active Exploitation in the Wild
Reports have indicated the active exploitation of CVE-2025-0108. GreyNoise, a threat monitoring platform, observed exploitation attempts targeting unpatched PAN-OS firewalls. Organizations with unpatched systems remain vulnerable to potential data theft, firewall manipulation, and advanced persistent threats (APTs).
Mitigation and Recommended Actions
Administrators are required to upgrade their firewalls to the following patched versions:
- PAN-OS 11.2.4-h4 or later
- PAN-OS 11.1.6-h1 or later
- PAN-OS 10.2.13-h3 or later
- PAN-OS 10.1.14-h9 or later
Additionally, PAN-OS 11.0 is no longer supported and has reached the end of life (EoL) in Nov’24. Organizations using this version are advised to upgrade immediately.
Defensive Measures
Defenders are advised to test and implement the security updates. It is also recommended that external access to the management interface be restricted to trusted internal IP addresses only. This may not always be possible, but implementing these restrictions reduces the risk of exploitation of these and other vulnerabilities.
In conclusion, CVE-2025-0108 presents a significant security risk, primarily because of its active exploitation in the wild. Organizations with vulnerable systems should act swiftly to patch and implement best security practices to mitigate this threat.
