On 12 February 2025, Palo Alto Networks published a security advisory for CVE-2025-0108, an authentication bypass vulnerability in the management web interface of PAN-OS. The vulnerability was responsibly disclosed to Palo Alto Networks by Assetnote, who published a blog article with technical details about how to exploit the vulnerability the same day it was disclosed. Since then, proof-of-concept exploit code has emerged publicly.
This vulnerability could allow an unauthenticated threat actor with network access to the management web interface to bypass authentication and invoke specific PHP scripts. Although the vulnerability does not allow for remote code execution directly, exploitation can be chained with other vulnerabilities such as CVE-2024-9474 to carry out administrative actions on affected firewalls.
Arctic Wolf strongly recommends updating to a fixed firmware version as soon as possible, as well as limiting access to the web management interface to trusted internal addresses.
Exploitation Attempts Chaining CVE-2025-0108 with CVE-2024-9474
A day after the vulnerability was disclosed by Palo Alto Networks, Greynoise released a blog article stating that they observed several unique IP addresses attempting to exploit the vulnerability but did not confirm successful exploitation.
On 18 February 2025, Palo Alto Networks updated their advisory confirming that exploit attempts were being made against the vulnerability and that threat actors were chaining it with CVE-2024-9474, a privilege escalation vulnerability in the web management interface of PAN-OS. Fixes for CVE-2024-9474 had been previously released on 11 November 2024.
In activity observed by Arctic Wolf, threat actors were previously observed exploiting CVE-2024-9474 along with CVE-2024-0012 in November 2024 to gain access PAN-OS firewall devices through internet exposed web management interfaces. Threat actors were observed extracting firewall configurations and deploying malware on compromised devices.
Recommendation for CVE-2025-0108
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version of PAN-OS.
| Product | Affected Version | Fixed Version |
| PAN-OS 11.2 | Versions before 11.2.4-h4 | 11.2.4-h4 and above |
| PAN-OS 11.1 | Versions before 11.1.6-h1 | 11.1.6-h1 and above |
| PAN-OS 10.2 | Versions before 10.2.13-h3 | 10.2.13-h3 and above |
| PAN-OS 10.1 | Versions before 10.1.14-h9 | 10.1.14-h9 and above |
Note: Cloud NGFW and Prisma Access are unaffected by this vulnerability.
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
Workaround(s)
Palo Alto recommends following best practices deployment guidelines.
- Restrict management interface access to only trusted internal IP addresses.
References
- Security advisory for CVE-2025-0108
- Security advisory for CVE-2025-9474
- Assetnotes technical blog
- Greynoise Blog
Resources
