Introduction
The critical authentication bypass vulnerability [1] [3] [5] [6] [7] [10] [11], CVE-2025-0108 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], discovered in Palo Alto Networks’ PAN-OS [5], poses significant security risks. This vulnerability, along with others, threatens the integrity and confidentiality of systems, necessitating immediate attention and action from organizations using affected devices.
Description
Researchers at Assetnote detected CVE-2025-0108 [8], a critical authentication bypass vulnerability in Palo Alto Networks’ PAN-OS [1] [5] [10], which powers its next-generation firewall devices [10]. Disclosed on February 12, 2025 [6], this high-severity flaw has a CVSS score of 7.8, allowing unauthorized attackers with network access to bypass authentication controls on the PAN-OS management web interface and invoke certain PHP scripts [1], gaining root-level access to affected systems [5] [11]. While it does not directly enable remote code execution [1], it poses significant risks to system integrity and confidentiality [1]. The vulnerability is particularly concerning as it can be exploited in conjunction with CVE-2024-9474, a privilege escalation vulnerability that was patched in November 2024, and CVE-2025-0111 [2] [3] [5] [6] [7] [8] [9] [10] [11], which allows authenticated users to read files accessible to the “nobody” user through the firewall’s management web interface [3]. Together [2] [3] [4] [6], these vulnerabilities can lead to full device compromise [1].
Following the disclosure [3], Assetnote published a proof-of-concept exploit demonstrating how CVE-2025-0108 could be combined with CVE-2024-9474 and CVE-2025-0111 to extract sensitive configuration data and user credentials, ultimately gaining root privileges on unpatched PAN-OS firewalls [8]. Cybersecurity researchers from GreyNoise reported a surge in active exploitation attempts, increasing from 2 malicious IP addresses on February 13 to at least 25 by February 18, with primary attack sources identified in the US [8], Germany [1] [2] [3] [7] [8] [10] [11], the Netherlands [1] [2] [3] [7] [8] [10] [11], France [10], and Brazil [10]. As of February 14 [1] [6] [11], approximately 3,500 PAN-OS administrator interfaces were exposed [6], highlighting the urgency for organizations to secure their systems.
On February 18 [1] [6] [8] [11], the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-0108 to its Known Exploited Vulnerabilities (KEV) catalog [2] [3] [7] [8], emphasizing the critical nature of the situation and mandating federal agencies to apply security updates or remove vulnerable systems by March 11, 2025. The next day [8], Palo Alto Networks updated its advisories for CVE-2025-0108 and CVE-2025-0111 [8], confirming that exploit attempts were observed chaining these vulnerabilities on unpatched and unsecured PAN-OS web management interfaces, describing the attack’s complexity as “low.” Palo Alto Networks has indicated that these exploit attempts specifically target unpatched and unsecured management interfaces.
GreyNoise researchers advised organizations using PAN-OS firewalls to assume that unpatched devices are being targeted and to take immediate security measures [8] [11], given the significant risks posed by this vulnerability, including the potential for threat actors to infiltrate sensitive systems [10], exfiltrate data [10], or deploy additional exploits within compromised networks [10]. As a precaution [5], administrators are encouraged to restrict access to the management web interface to trusted internal IP addresses [5]. Additionally, customers with a Threat Prevention subscription can block attempts to exploit CVE-2025-0108 and CVE-2025-0111 by enabling Threat IDs 510000 and 510001 [5]. All three vulnerabilities affect PAN-OS versions 10.1 (before 10.1.14-h9), 10.2 (before 10.2.13-h3), 11.1 (before 11.1.6-h1) [1], and 11.2 (before 11.2.4-h4) [1], which have received patches [5], while Palo Alto Networks confirmed that its Cloud NGFW and Prisma Access services are not impacted [5]. Organizations using Palo Alto firewalls must prioritize patch deployment to prevent imminent compromise [1], as CISA emphasizes the need to eliminate default exposures in critical infrastructure [1]. Administrators are advised to enforce strict access controls and assume that unpatched devices may already be compromised [1]. WaterISAC has also advised members to apply the patches and mitigations provided by Palo Alto Networks [9], highlighting the importance of proactive security measures in light of the ongoing exploitation of this vulnerability. Currently, there are no publicly available indicators of compromise [4] [9].
Conclusion
The discovery of CVE-2025-0108 underscores the critical need for organizations to promptly address vulnerabilities in their systems. Immediate patch deployment and stringent access controls are essential to mitigate the risks associated with this and related vulnerabilities. As cyber threats continue to evolve, maintaining robust security measures and staying informed about potential exploits are vital for safeguarding sensitive information and ensuring system integrity.
References
[1] https://cybersecuritynews.com/pan-os-vulnerability-actively-exploited/
[2] https://techcrunch.com/2025/02/19/palo-alto-networks-warns-of-another-firewall-vulnerability-under-attack-by-hackers/
[3] https://www.techmonitor.ai/technology/cybersecurity/palo-alto-networks-active-exploitation-pan-os-firewall-vulnerabilities
[4] https://www.helpnetsecurity.com/2025/02/19/palo-alto-networks-firewalls-cve-2025-0108-cve-2024-9474-cve-2025-0111/
[5] https://www.csoonline.com/article/3827829/hackers-gain-root-access-to-palo-alto-firewalls-through-chained-bugs.html
[6] https://www.techzine.eu/news/security/128886/palo-alto-confirms-exploitation-of-critical-vulnerability/
[7] https://www.techradar.com/pro/security/palo-alto-warns-another-major-firewall-hack-has-been-detected
[8] https://www.infosecurity-magazine.com/news/hackers-chain-exploits-three-palo/
[9] https://www.waterisac.org/portal/tlp-clear-vulnerabilities-palo-alto-network-firewalls-actively-exploited-chained-attacks
[10] https://www.techworm.net/2025/02/cisa-flags-palo-alto-sonicwall-flaws-exploited.html
[11] https://securityboulevard.com/2025/02/palo-alto-networks-pan-os-richixbw/
