Palo Alto Networks PAN-OS vulnerability exploited in the wild

An authentication bypass flaw in Palo Alto Networks' PAN-OS software has been exploited in the wild, the security vendor confirmed Monday.

CVE-2025-0108 is an authentication bypass vulnerability in PAN-OS, the operating system that runs Palo Alto Networks firewalls. The flaw, which has a CVSS 4.0 score of 8.8, was first disclosed on Feb. 12 with its discovery credited to Assetnote security researcher Adam Kues.

According to Palo Alto Networks' security advisory, the vulnerability "enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts." The vendor said invoking PHP scripts does not enable remote code execution, but "can negatively impact integrity and confidentiality of PAN-OS."

Affected PAN-OS versions include those prior to -- but not including -- PAN-OS 11.2.4-h4, PAN-OS 11.1.6-h1, PAN-OS 10.2.13-h3 and PAN-OS 10.1.14-h9. Prisma Access and Cloud NGFW instances are unaffected, the vendor said. Upgrades are available now for the aforementioned versions of PAN-OS, and the vendor recommends customers upgrade to a supported version. For customers using PAN-OS 11.0, no fix is planned because the software reached end-of-life status in November.

There are, however, additional workarounds and mitigations. Palo Alto Networks said customers can reduce risk by "restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines." Customers with the greatest risk are those with their management interfaces exposed to the internet and those who have enabled access to any untrusted network.

Palo Alto Networks updated its advisory Tuesday morning to state that it has seen exploitation attempts in the wild using a proof-of-concept exploit.

"A proof of concept (PoC) exploit is publicly available for CVE-2025-0108. Palo Alto Networks has observed exploit attempts that utilize the PoC, chaining it with the exploit for CVE-2024-9474 on unpatched and unsecured PAN-OS web management interfaces," the vendor said.

Palo Alto Networks appeared to reference research from Assetnote's Kues published on Feb. 12, explaining in significant technical detail how CVE-2025-0108 works. CVE-2024-9474 is another PAN-OS zero-day disclosed last fall.

A GreyNoise scan has observed 26 unique IP addresses attempt to exploit CVE-2025-0108 in the wild at press time. A scan from security nonprofit Shadowserver Foundation shows approximately 3,300 PAN-OS management interfaces exposed to the internet as of Feb. 18.

A spokesperson for GreyNoise said in an email that researchers observed exploitation efforts "within hours" after the PoC was released.

Informa TechTarget asked Palo Alto Networks for comment on the attack timeline surrounding CVE-2025-0108, but the vendor declined to offer additional information. A spokesperson, however, offered the following statement:

The security of our customers is our top priority. Palo Alto Networks has confirmed reports of active exploitation targeting a vulnerability (CVE-2025-0108) in the PAN-OS web management interface. This vulnerability, chained with other vulnerabilities like CVE-2024-9474, could allow unauthorized access to unpatched and unsecured firewalls.

We are urging all customers with internet-facing PAN-OS management interfaces to immediately apply the security updates released on February 12, 2025. Securing external-facing management interfaces is a fundamental security best practice, and we strongly encourage all organizations to review their configurations to minimize risk.

Detailed information and mitigation guidance are available in the CVE-2025-0108 security advisory.

A spokesperson for Assetnote said the company does not have timing on when exploitation attempts began because they don't offer threat intelligence services. The spokesperson provided the following statement on Assetnote's research:

For some context, we discovered this vulnerability, reported it to Palo Alto, and worked with them to set a coordinated public disclosure date. We perform this zero-day research so we can operationalize it through our platform for our customers. Sophisticated attackers (often ransomware groups) seek similar attack vectors, so we see this as the best way to preemptively close these gaps. We disclose these findings to vendors so we can work with them to remediate the issue in the product itself. Our customers also get privately notified of these security vulnerabilities early through platform findings so they know what and how to mitigate. Regardless of our research articles, we see opportunistic attackers weaponize exploits by easily reverse engineering patches across numerous vendors. We release our research so that more defenders in the community can understand the issue and detect it.

Alexander Culafi is a senior information security news writer and podcast host for Informa TechTarget.