Palo Alto Networks vulnerabilities exploited in chained attack

Palo Alto Networks warned that attackers are using an exploit chain involving two recently disclosed vulnerabilities in its firewall management interfaces.

On Tuesday, Palo Alto Networks disclosed exploitation activity in an updated security advisory for an authenticated file read vulnerability, tracked as CVE-2025-0111, in the vendor's PAN-OS software that was initially disclosed on Feb. 12. Palo Alto Networks rated the flaw as "highest" urgency level and recommended that customers disable internet access to the PAN-OS web management interface.

The update, published one week after the initial disclosure, warned of exploitation activity where attackers chained CVE-2025-0111 with two other Palo Alto Networks vulnerabilities. The first is another recently disclosed vulnerability, tracked as CVE-2025-0108, that came under attack as a zero-day. The second is an older, previously disclosed vulnerability tracked as CVE-2024-9474.

The latter was also exploited in zero-day attacks against the security vendor's firewall management interfaces in November. However, it appears that some instances remain unpatched.

"Palo Alto Networks has observed exploit attempts chaining CVE-2025-0108 with CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces," the company wrote in the updated security advisory.

Informa TechTarget contacted Palo Alto Networks for comment regarding the attack scope. The security vendor confirmed that it has observed limited exploitation at this time and provided the following statement:

Palo Alto Networks is urging customers to immediately patch two vulnerabilities in the PAN-OS web management interface -- CVE-2025-0108 and CVE-2025-0111. These vulnerabilities could allow unauthorized access to the management interface of affected firewalls, potentially leading to system compromise. Exploitation attempts for CVE-2025-0108, which has a publicly available proof-of-concept exploit, have been observed chaining it with CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces. We continue to monitor the situation and leverage the currently operational mechanisms to detect customer compromises in telemetry and TSFs and support them through the EFR remediations.

Palo Alto Networks added that customers should take immediate action by downloading and installing the latest PAN-OS updates provided in the security advisories for CVE-2025-0108 and CVE-2025-0111. The vendor said it could not provide patching rates for CVE-2024-9474 due to customer security concerns.

Palo Alto Networks credited security researchers Émilio Gonzalez and Maxime Gaudreault, as well as its own Deep Product Security Research Team, for discovering and reporting CVE-2025-0111. Last year, Gonzalez called out Palo Alto Networks in a post to Mastodon for poor vulnerability disclosure around CVE-2024-0012, another zero-day flaw that also affected the vendor's web management interface. In another Mastodon post on Feb. 12, Gonzalez shared the advisory for CVE-2025-0111 and said it was his first CVE and bug bounty.

CISA added CVE-2025-0111 to its Known Exploited Vulnerabilities list on Thursday, giving federal agencies a March 13 deadline to provide vendor mitigations.

Palo Alto Networks' PAN-OS software, the operating system that runs the vendor's firewalls, has become a popular target for attackers over the past year. In November, attackers exploited CVE-2024-9474 and CVE-2024-0012 in zero-day attacks, which led to the compromise of at least 2,000 PAN-OS management interfaces.

In April, Palo Alto Networks confirmed that attackers exploited a command injection flaw, tracked as CVE-2024-3400, affecting its GlobalProtect gateway feature found in the vendor's PAN-OS software as well. Additionally, in January, Eclypsium researchers detailed several security issues they discovered in Palo Alto Networks' firewall products as attacks against edge devices rise.

Arielle Waldman is a news writer for Informa TechTarget covering enterprise security.