Vulnerability Notice: CVE-2025-0108

Description

A critical vulnerability, identified as CVE-2025-0108, has been discovered in the management web interface of Palo Alto Networks PAN-OS software. This vulnerability permits unauthenticated attackers to bypass authentication and invoke specific PHP scripts, granting them unauthorized access to certain functionalities. Although remote code execution is not facilitated by this vulnerability, it compromises the integrity and confidentiality of the affected PAN-OS systems. Palo Alto Networks advises restricting management web interface access to trusted internal IPs to reduce the risk significantly. Products such as Cloud NGFW and Prisma Access software remain unaffected.

 

Affected Product(s)

• Palo Alto Networks PAN-OS versions:
  • 1.0 up to but excluding 10.1.14
  • 2.0 up to but excluding 10.2.7

 

Technical Details

This vulnerability, tracked as CVE-2025-0108, is rooted in how the management web interface of Palo Alto Networks PAN-OS processes authentication. Threat actors exploit the gap by manipulating differences in path processing between the Nginx and Apache web servers within the management stack.

The path confusion flaw arises when double URL encoding combined with directory traversal bypasses standard authentication checks enforced by the **X-pan-AuthCheck** header. By successfully exploiting this gap, attackers could invoke specific PHP scripts without authenticating, providing unauthorized access to sensitive management functionalities.

Notably, the exploitation does not allow unauthorized users to perform remote code execution. However, this flaw poses a significant risk as it compromises the confidentiality of the system and could pave the way for additional exploits when chained with other vulnerabilities like CVE-2025-0111.

A Proof of Concept (PoC) for this vulnerability has already been shared across public platforms like GitHub, and it has been reported as actively exploited in the wild.

Threat intelligence suggests its use in coordinated attacks, where it is chained with other vulnerabilities to breach firewall defenses comprehensively.

ZoomEye, a search engine for internet-connected devices, has identified over 3,700 PAN-OS firewalls susceptible to this vulnerability, highlighting the widespread nature of the issue.

A known vector for exploitation involves running automated scanners to identify the vulnerable PAN-OS web interface and subsequently initiating the bypass. High-severity attacks have been observed targeting entities across various sectors, leveraging this flaw for intel gathering and potentially setting ground for further compromise.

The primary products affected are non-cloud versions of PAN-OS running within enterprise network environments. As noted, versions starting from 10.1.0 up to but excluding 10.1.14 and 10.2.0 up to but excluding 10.2.7 are impacted. However, the Cloud NGFW (Next Generation Firewall) and Prisma Access products that run similar PAN-OS software are immune to this vulnerability due to differing deployment architectures.

 

Weakness

The weaknesses directly associated with CVE-2025-0108 are:

• CWE-287: Improper Authentication – The vulnerability allows attackers to bypass authentication controls.
• CWE-306: Missing Authentication for Critical Function – Certain critical functions in the PAN-OS management interface do not enforce authentication adequately, leading to unauthorized access.

 

Impact Assessment

Exploitation of CVE-2025-0108 poses significant risks to the confidentiality and integrity of affected PAN-OS systems. By bypassing authentication, unauthorized attackers could gain sensitive information and invoke high-priority administrative functions. These actions could result in:

 

• Unauthorized access to configuration data or logs within the network firewall ecosystem.
• Potential disruption or modification of security rules, thereby creating an unintended gateway for further exploits across the network.
• Chained exploitation with complementary vulnerabilities like CVE-2025-0111, potentially leading to full compromise of enterprise networks.
• Organizations that fail to mitigate this vulnerability may risk losing control over their network’s security posture, with attackers potentially enabling widespread intrusion or exfiltration of sensitive data.

 

Active Exploitation

There have been confirmed exploitations of CVE-2025-0108 in real-world attacks. GreyNoise, a threat intelligence platform, observed active attempts to leverage this vulnerability against PAN-OS firewalls, particularly through automated scanners. Attackers are leveraging public exploit Proof of Concepts (PoCs), including code repositories on GitHub, to expedite exploitation. Security researchers indicate that hackers are chaining this vulnerability with others like CVE-2025-0111 and CVE-2024-9474 for advanced tactics. These compounded vulnerabilities can comprehensively breach organizational firewalls, yielding a critical security risk in both enterprise and governmental environments.

 

Ransomware Association

Though there is no direct association between CVE-2025-0108 and ransomware campaigns, the authentication bypass flaw can provide attackers with an effective entry point for initiating lateral movement within an enterprise network. By gaining unrestricted access to security controls, attackers could potentially deactivate security appliances, disabling protections against ransomware delivery or subscription models. Thus, organizations must address this vulnerability proactively to defend against potential ransomware scenarios that exploit follow-up intrusion opportunities.

 

Mitigation and Resolution

Palo Alto Networks has released patches addressing CVE-2025-0108. Customers are advised to upgrade their PAN-OS software to:

• Version 10.1.14-h9 or later for PAN-OS 10.1.x
• Version 10.2.7-h24 or later for PAN-OS 10.2.x

Additionally, organizations are encouraged to restrict access to the management web interface to trusted internal IP addresses. Palo Alto Networks provides detailed best practices for management interface security, available at the following link: Tips & Tricks – How to Secure the Management Access of Your Palo Alto Firewall.

 

Recommendations

• Apply the latest available patch as soon as possible to resolve CVE-2025-0108.
• Update PAN-OS systems to at least 10.1.14-h9 for 10.1.x or 10.2.7-h24 for 10.2.x.
• Restrict access to the management web interface to trusted internal IP addresses by configuring interface-bound security policies.
• Monitor network activity and logs for unauthorized login attempts or escalated privileges that could indicate prior compromise.
• Perform regular penetration testing for exposed PAN-OS interfaces to unearth additional vulnerabilities.
• Educate system administrators about the risks posed by chaining vulnerabilities such as CVE-2025-0108 and ensure all accessible software plugins are current.
• Disable deprecated versions of PAN-OS (e.g., older than 10.1.0) and augment host-based firewalls if immediate patching is unavailable.

References 

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0108
• https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-0108.yaml
• https://security.paloaltonetworks.com/CVE-2025-0108
• https://nvd.nist.gov/vuln/detail/CVE-2025-0108
• https://github.com/iSee857/CVE-2025-0108-PoC
• https://slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os/
• https://www.bleepingcomputer.com/news/security/palo-alto-networks-tags-new-firewall-bug-as-exploited-in-attacks/
• https://www.darkreading.com/remote-workforce/patch-now-cisa-researchers-warn-palo-alto-flaw-exploited-wild
• https://www.securityweek.com/palo-alto-networks-confirms-exploitation-of-firewall-vulnerability/
• https://www.theregister.com/2025/02/19/palo_alto_firewall_attack/

 

 

View In Platform

https://vi.securin.io/vulnerability/detail/cve-2025-0108