An authentication bypass flaw in Palo Alto Networks PAN-OS software is currently being exploited by attackers, prompting warnings from the Cybersecurity Infrastructure and Security Agency (CISA) and security researchers. This flaw, tracked as CVE-2025-0108, was first uncovered by researchers at Searchlight Cyber AssetNote and disclosed in a blog post on February 12.
The flaw allows unauthenticated attackers to bypass the authentication interface and invoke certain PHP scripts. The affected versions include PAN-OS v11.2, v11.1, v10.2, and v10.1, but patches are available for all impacted versions. Palo Alto has issued a security advisory with patch information rated at 8.8 in severity on the CVSS.
While the PHP scripts themselves do not enable remote code execution, exploiting the flaw can compromise the integrity and confidentiality of PAN-OS, potentially giving attackers access to vulnerable systems. Exploitation attempts have been observed by chaining CVE-2025-0108 with other PAN-OS Web management interface flaws, including privilege escalation and authenticated file read vulnerabilities.
Attacks exploiting the flaw have significantly increased, with 25 malicious IPs actively targeting CVE-2025-0108 as of February 18. The top countries for these attacks are the US, Germany, and the Netherlands. GreyNoise researchers emphasize the urgency for organizations using PAN-OS firewalls to secure their devices promptly.
The rise in exploitative activity compelled CISA to add CVE-2025-0108 to the Known Exploited Vulnerabilities Catalog and urge affected parties to apply Palo Alto’s patches. The root cause of the flaw, as explained by security researcher Adam Kues, lies in the architecture of PAN-OS, where authentication passes through multiple layers, creating potential path confusion and authentication bypass.
To mitigate the risk of exploitation, Palo Alto recommends applying the latest updates to impacted devices and restricting access to the management interface to trusted internal IP addresses. Whitelisting IPs in the management interface is also suggested to prevent further vulnerabilities from being exploited over the Internet.
Given the widespread use of Palo Alto’s network devices and the rapid response of attackers to identified flaws, immediate action is critical to eliminate the risk posed by CVE-2025-0108. Organizations are advised to stay vigilant, apply patches, and follow best practices to safeguard their systems against evolving threats in the cybersecurity landscape.