Pierluigi Paganini
February 15, 2025
Researchers warn that threat actors are exploiting a recently disclosed vulnerability, tracked as CVE-2025-0108, in Palo Alto Networks PAN-OS firewalls.
The Shadowserver Foundation researchers observed several CVE-2025-0108 attempts since 4 am UTC 2024-02-13 in their honeypots. The experts said that the malicious traffic was originated from 19 IPs seen, attackers attempted to use a recently published PoC exploit code for this vulnerability (with a few creative exceptions).
Many Palo Alto CVE-2025-0108 attempts seen since 4 am UTC 2024-02-13 in our honeypots, with 19 source IPs seen attempting the use of a recent PoC published for this vulnerability (with a few creative exceptions)
— The Shadowserver Foundation (@Shadowserver) February 14, 2025
Patch info: https://t.co/ogULH1UgBu pic.twitter.com/CzUMjAFARF
Cybersecurity firm GreyNoise also confirmed that threat actors attempted to exploit the flaw.
“GreyNoise can confirm active exploitation of CVE-2025-0108.” states GreyNoise. “Organizations relying on PAN-OS firewalls should assume that unpatched devices are being targeted and take immediate steps to secure them. “
“An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts. reads the advisory published by Palo Alto Networks. the While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS.“
The flaw resides in the PAN-OS management web interface. An unauthenticated attacker on the network couple exploit the vulnerability to bypass authentication and invoke certain PHP scripts.
The company warns that the risk is higher if the management interface is accessible from the internet or an untrusted network, directly or via a dataplane interface with a management profile. The security vendor recommends restricting access to trusted internal IP addresses to minimize the risk of exploitation.
The following versions address the vulnerability:
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 11.2 | < 11.2.4-h4 | >= 11.2.4-h4 |
| PAN-OS 11.1 | < 11.1.6-h1 | >= 11.1.6-h1 |
| PAN-OS 10.2 | < 10.2.13-h3 | >= 10.2.13-h3 |
| PAN-OS 10.1 | < 10.1.14-h9 | >= 10.1.14-h9 |
| Prisma Access | None | All |
Cybersecurity firm Assetnote discovered the vulnerability and published a detailed analysis of the issue.
The researchers demonstrated that attackers can exploit the flaw to extract data from vulnerable devices, including firewall configurations.
Assetnote states that CVE-2025-0108 exploits improper URL decoding in PAN-OS firewalls, allowing attackers to bypass authentication. The root cause of the issue is that Nginx and Apache handle encoded paths differently, leading to directory traversal and unauthorized execution of PHP scripts. Since Nginx disables authentication for certain paths, attackers can access the PAN-OS management interface without credentials, resulting in a full authentication bypass.
“we have explored a suspicious (and quite common) architecture where authentication is enforced at a proxy later but then the request is passed through a second layer with different behavior.” reads the report published by Assetnote. “Fundamentally, these sorts of architectures lead to things like header smuggling and path confusion, which can result in many impactful bugs!”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Palo Alto Networks PAN-OS firewalls)
