Attackers are actively exploiting an authentication bypass flaw discovered within the Palo Alto Networks PAN-OS software program that lets an unauthenticated attacker bypass authentication of that interface and invoke sure PHP scripts.
Each the Cybersecurity Infrastructure and Safety Company (CISA) and safety researchers are warning of accelerating attacker exercise to take advantage of the flaw, tracked as CVE-2025-0108 and first revealed in a weblog put up on Feb. 12 as a zero-day flaw by researchers at Searchlight Cyber AssetNote. PAN-OS is the working system for Palo Alto’s firewall gadgets; the flaw impacts sure variations of PAN-OS v11.2, v11.1 , v10.2, and v10.1 and has been patched for all affected variations.
Patch information is accessible in Palo Alto’s safety advisory on CVE-2025-0108, which is rated as 8.8 and subsequently of excessive severity on the CVSS. The corporate warned that whereas the PHP scripts that may be invoked don’t themselves allow distant code execution, exploiting the flaw “can negatively affect integrity and confidentiality of PAN-OS,” doubtlessly giving attackers entry to susceptible techniques, the place different bugs might be used to attain additional goals.
Certainly, researchers noticed attackers making exploit makes an attempt by chaining CVE-2025-0108 with two different PAN-OS Internet administration interface flaws — CVE-2024-9474, a privilege escalation flaw, and CVE-2025-0111, an authenticated file learn vulnerability — on unpatched and unsecured PAN-OS situations.
Energetic Exploitation of Palo Alto Firewalls
Menace actors apparently acquired the memo on the potential for exploit, as assaults on affected gadgets are on the rise. As of Feb. 18, 25 malicious IPs are actively exploiting CVE-2025-0108, up from merely two the day after its discovery was made public, in accordance with researchers at GreyNoise. The highest three nations for these assaults are the US, Germany, and the Netherlands, in accordance with a weblog put up on the exploitation.
“Organizations counting on PAN-OS firewalls ought to assume that unpatched gadgets are being focused and take speedy steps to safe them,” Noah Stone, head of content material at GreyNoise Intelligence, wrote within the put up.
The elevated exercise to take advantage of the flaw compelled the CISA so as to add it to the Recognized Exploited Vulnerabilities Catalog this week and urge these affected to use Palo Alto’s patches for affected machine variations.
Why CVE-2025-0108 in PAN-OS Exists
The flaw exists due to a standard structure current in PAN-OS, “the place authentication is enforced at a proxy layer, however then the request is handed by way of a second layer with totally different conduct,” safety researcher Adam Kues wrote in Searchlight Cyber Assenote’s put up.
“Essentially, these architectures result in header smuggling and path confusion, which may end up in many impactful bugs,” he defined.
Particularly, a Internet request to the PAN-OS administration interface is dealt with by three separate elements: Nginx, Apache, and the PHP software itself. The researchers discovered that when the authentication by the requester is about on the Nginx degree and primarily based on HTTP headers, the request is then reprocessed once more in Apache, which can course of the trail or headers in another way to Nginx earlier than lastly handing off the request to PHP.
“If there’s a distinction between what Nginx thinks our request appears to be like like and what Apache thinks our request appears to be like like, we may obtain an authentication bypass,” Kues defined.
The chance of exploitation is best if a community configuration allows entry to the administration interface from the Web (or any untrusted community) both instantly or by way of a dataplane interface that features a administration interface profile, Palo Alto famous in its advisory.
Eradicate Danger by Patching Auth Bypass Now
Palo Alto’s community gadgets are extensively used and flaws inside them are sometimes shortly set upon by attackers, making it crucial that mitigation for CVE-2025-0108 occurs sooner reasonably than later. The easiest way to get rid of the chance of exploitation fully is to use Palo Alto’s updates to affected gadgets, in accordance with the CISA and researchers.
Affected organizations can also cut back this threat if community directors be certain that solely trusted inside IP addresses can entry the administration interface, in accordance with Palo Alto. Defenders can uncover any property that require remediation motion by visiting the Property part of the Buyer Assist Portal, the corporate mentioned.
Palo Alto additionally recommends that organizations whitelist IPs within the administration interface to stop this or comparable vulnerabilities from being exploited over the Web.
