An authentication bypass vulnerability in Palo Alto Networks’ PAN-OS software has been recently discovered to have been exploited in the wild. The security vendor confirmed the existence of CVE-2025-0108, a flaw in PAN-OS with a CVSS score of 8.8, which was initially disclosed on February 12th by security researcher Adam Kues from Assetnote.
Palo Alto Networks explained in their security advisory that the vulnerability allows an unauthenticated attacker with network access to the management web interface to bypass the required authentication by PAN-OS and invoke specific PHP scripts. Although this does not lead to remote code execution, it can still compromise the integrity and confidentiality of PAN-OS. Affected versions of PAN-OS prior to PAN-OS 11.2.4-h4, PAN-OS 11.1.6-h1, PAN-OS 10.2.13-h3, and PAN-OS 10.1.14-h9 are recommended to upgrade to a supported version to mitigate the risk.
However, for customers still using PAN-OS 11.0, which reached its end-of-life status in November, no fix is planned. Palo Alto Networks offered additional workarounds and mitigations to reduce risk, such as restricting access to the management web interface to trusted internal IP addresses based on best practices deployment guidelines.
Subsequent to the initial disclosure, Palo Alto Networks updated their advisory to note that they have witnessed exploitation attempts using a proof-of-concept exploit in the wild. The use of this PoC is being combined with the exploit for CVE-2024-9474, another PAN-OS zero-day vulnerability disclosed previously.
Reports from GreyNoise and the Shadowserver Foundation indicated that there have been exploitation attempts detected in the wild, with 26 unique IP addresses attempting to exploit CVE-2025-0108 and approximately 3,300 PAN-OS management interfaces exposed to the internet. GreyNoise confirmed the exploitation efforts after the public release of the PoC.
Both Palo Alto Networks and Assetnote emphasized the importance of applying security updates and implementing best practices to secure PAN-OS management interfaces to prevent unauthorized access to firewalls. Assetnote highlighted their role in zero-day research and collaboration with vendors to address security vulnerabilities proactively.
Palo Alto Networks stressed the critical importance of maintaining secure configurations for external-facing management interfaces and advised organizations to review and update their settings to minimize risks. They also provided detailed mitigation guidance in the CVE-2025-0108 security advisory.
In conclusion, the exploitation of the authentication bypass vulnerability in PAN-OS underscores the ongoing challenges in cybersecurity and the importance of timely updates and proactive security measures to protect against potential threats. Organizations are encouraged to stay vigilant and follow recommended best practices to secure their systems and data in an ever-evolving threat landscape.