CVE-2025-0108
published 2025-02-12CVE-2025-0108: An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to…
PriorityP199critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-03-11
Exploited in the wild
EPSS
98.34%
99.9th percentile
An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts. While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS.
You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
This issue does not affect Cloud NGFW or Prisma Access software.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| palo_alto_networks | pan-os | >= 10.1.0 < 10.1.14-h9 | 10.1.14-h9 |
| palo_alto_networks | pan-os | >= 10.2.0 < 10.2.7-h24 | 10.2.7-h24 |
| palo_alto_networks | pan-os | >= 11.1.0 < 11.1.6-h1 | 11.1.6-h1 |
| palo_alto_networks | pan-os | >= 11.2.0 < 11.2.4-h4 | 11.2.4-h4 |
| paloalto | cloud_ngfw | — | — |
| paloalto | pan-os | — | — |
| paloalto | prisma_access | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | — | — |
| paloaltonetworks | pan-os | >= 10.1.0 < 10.1.14 | 10.1.14 |
| paloaltonetworks | pan-os | >= 10.2.0 < 10.2.7 | 10.2.7 |
| paloaltonetworks | pan-os | >= 11.1.0 < 11.1.2 | 11.1.2 |
| paloaltonetworks | pan-os | >= 11.2.0 < 11.2.4 | 11.2.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-0108 exploits a path confusion between Nginx and Apache in PAN-OS to bypass authentication on the management web interface; monitor for unexpected requests to PHP scripts on the PAN-OS management interface from unauthenticated sources. ↗
- →Active exploitation of CVE-2025-0108 began on February 13, 2025 at 17:00 UTC; use this timestamp to scope log reviews for initial compromise indicators. ↗
- →CVE-2025-0108 is being chained with CVE-2024-9474 (privilege escalation to root) and CVE-2025-0111 (authenticated file read); detect multi-stage exploitation by correlating auth bypass attempts with subsequent file read and privilege escalation activity on the same management interface. ↗
- →The exploit chain (CVE-2025-0108 + CVE-2025-0111 + CVE-2024-9474) can be used to download configuration files and other sensitive information; alert on unusual outbound transfers of configuration data from PAN-OS management interfaces. ↗
- →GreyNoise released a dedicated tag 'Palo Alto PANOS CVE20250108 Auth Bypass Attempt' for real-time detection of exploitation attempts; subscribe to this tag for automated alerting. ↗
- →Scanning spikes targeting GlobalProtect/PAN-OS management interfaces historically precede new vulnerability disclosures in 80% of cases; treat surges in /global-protect/login.esp traffic as a leading indicator of imminent exploitation. ↗
- →Recurring TCP/JA4t fingerprints and reuse of the same ASNs across scanning campaigns can be used to cluster and attribute related exploitation activity against PAN-OS management interfaces. ↗
- ·CVE-2025-0108 does not affect Cloud NGFW or Prisma Access; scope detection and patching efforts to on-premises PAN-OS deployments only. ↗
- ·PAN-OS 11.0 is end-of-life and will not receive a patch for CVE-2025-0108; devices on this version remain permanently vulnerable unless upgraded to a supported release. ↗
- ·As of the reporting period, the vast majority of internet-exposed PAN-OS management interfaces remained unpatched; 65% (2,262 of 3,490 surveyed devices) were vulnerable to all three chained CVEs. ↗
- ·CVE-2025-0108 alone does not enable remote code execution; full system compromise requires chaining with CVE-2024-9474 (privilege escalation) and/or CVE-2025-0111 (file read). ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.08.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Red
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hvqq-hwj3-c54m: An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web inter
ghsa_unreviewed·2025-02-12
CVE-2025-0108 [HIGH] CWE-306 GHSA-hvqq-hwj3-c54m: An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web inter
An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts. While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS.
You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
This issue does not affect Cloud NGFW or Prisma Ac
VulnCheck
Palo Alto Networks PAN-OS File Read Vulnerability
vulncheck·2025·CVSS 8.8
CVE-2025-0111 [HIGH] CWE-73 Palo Alto Networks PAN-OS File Read Vulnerability
Palo Alto Networks PAN-OS File Read Vulnerability
Palo Alto Networks PAN-OS contains an external control of file name or path vulnerability. Successful exploitation enables an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the “nobody” user.
Affected: Palo Alto Networks PAN-OS
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://security.paloaltonetworks.com/CVE-2025-0108; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.loginsoft.com/reports/annually/vulnerability-intelligence-report-2025
Remediation Due: 2025-03-13
VulnCheck
Palo Alto Networks PAN-OS Authentication Bypass Vulnerability
vulncheck·2025·CVSS 8.8
CVE-2025-0108 [HIGH] CWE-306 Palo Alto Networks PAN-OS Authentication Bypass Vulnerability
Palo Alto Networks PAN-OS Authentication Bypass Vulnerability
Palo Alto Networks PAN-OS contains an authentication bypass vulnerability in its management web interface. This vulnerability allows an unauthenticated attacker with network access to the management web interface to bypass the authentication normally required and invoke certain PHP scripts.
Affected: Palo Alto Networks PAN-OS
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-02-13&host_type=src&vulnerability=cve-2025-0108; https://www.greynoise.io/blog/greynoise-observes-active-exploitation-of-pan-os-authentication-bypass-vulnerability-cve-2025-
VulnCheck
Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability
vulncheck·2024·CVSS 6.9
CVE-2024-9474 [MEDIUM] CWE-77 Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability
Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability
Palo Alto Networks PAN-OS contains an OS command injection vulnerability that allows for privilege escalation through the web-based management interface for several PAN products, including firewalls and VPN concentrators.
Affected: Palo Alto Networks PAN-OS
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Additionally, the management interfaces for affected devices should not be exposed to untrusted networks, including the internet.
Known Ransomware Campaign Use: Known
Exploitation References: https://security.paloaltonetworks.com/CVE-2024-9474; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json;
CISA
Palo Alto Networks PAN-OS Authentication Bypass Vulnerability
cisa·2025-02-18·CVSS 8.8
CVE-2025-0108 [HIGH] CWE-306 Palo Alto Networks PAN-OS Authentication Bypass Vulnerability
Vulnerability: Palo Alto Networks PAN-OS Authentication Bypass Vulnerability
Affected: Palo Alto Networks PAN-OS
Palo Alto Networks PAN-OS contains an authentication bypass vulnerability in its management web interface. This vulnerability allows an unauthenticated attacker with network access to the management web interface to bypass the authentication normally required and invoke certain PHP scripts.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://security.paloaltonetworks.com/CVE-2025-0108 ; https://nvd.nist.gov/vuln/detail/CVE-2025-0108
Remediation Due Date: 2025-03-11
Palo Alto
PAN-OS: Authentication Bypass in the Management Web Interface
vendor_paloalto·CVSS 8.8
CVE-2025-0108 [HIGH] CWE-306 PAN-OS: Authentication Bypass in the Management Web Interface
PAN-OS: Authentication Bypass in the Management Web Interface
An authentication bypass in the in the management web interface of Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts. While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS.
The attacker must have network access to the management web interface to exploit this issue. You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended critical deployment guideline
Suricata
ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Management Web Interface Authentication Bypass (CVE-2025-0108)
suricata·2025-02-13·CVSS 8.8
CVE-2025-0108 [HIGH] ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Management Web Interface Authentication Bypass (CVE-2025-0108)
ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Management Web Interface Authentication Bypass (CVE-2025-0108)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Management Web Interface Authentication Bypass (CVE-2025-0108)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/unauth/"; fast_pattern; startswith; content:"/PAN_help/"; pcre:"/^\x2funauth\x2f[^\x25]*?(?:\x252e){2}.*?\x2fPAN_help\x2f.*?\x2e(?:css|js|html|htm)$/Ui"; reference:url,slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os/; reference:cve,2025-0108; classtype:web-application-attack; sid:2060086; rev:1; metadata:affected_product Palo_Alto_Networks, attack_target Server, tls_state TLSDecrypt, created_at 2025_02_13, cve CVE_2025_0108, deployment
Nuclei
PAN-OS Management Interface - Path Confusion to Authentication Bypass
nuclei·CVSS 8.8
CVE-2025-0108 [HIGH] PAN-OS Management Interface - Path Confusion to Authentication Bypass
PAN-OS Management Interface - Path Confusion to Authentication Bypass
A vulnerability in PAN-OS management interface allows authentication bypass through path confusion between Nginx and Apache handlers.The issue occurs due to differences in path processing between Nginx and Apache, where double URL encoding combined with directory traversal can bypass authentication checks enforced by X-pan-AuthCheck header.
Template:
id: CVE-2025-0108
info:
name: PAN-OS Management Interface - Path Confusion to Authentication Bypass
author: halencarjunior,ritikchaddha
severity: critical
description: |
A vulnerability in PAN-OS management interface allows authentication bypass through path confusion between Nginx and Apache handlers.The issue occurs due to differences in path processing between Nginx a
Bleepingcomputer
Palo Alto Networks warns of DoS bug letting hackers disable firewalls
blogs_bleepingcomputer·2026-01-15·CVSS 6.6
CVE-2026-0227 [MEDIUM] Palo Alto Networks warns of DoS bug letting hackers disable firewalls
## Palo Alto Networks warns of DoS bug letting hackers disable firewalls
## Sergiu Gatlan
Palo Alto Networks patched a high-severity vulnerability that could allow unauthenticated attackers to disable firewall protections in denial-of-service (DoS) attacks.
Tracked as CVE-2026-0227, this security flaw affects next-generation firewalls (running PAN-OS 10.1 or later) and Palo Alto Networks' Prisma Access configurations when the GlobalProtect gateway or portal is enabled.
The cybersecurity company says that most cloud-based Prisma Access instances have already been patched, with those left to be secured already scheduled for an upgrade.
"A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall. Repeated a
Bleepingcomputer
GlobalProtect VPN portals probed with 2.3 million scan sessions
blogs_bleepingcomputer·2025-11-20
GlobalProtect VPN portals probed with 2.3 million scan sessions
## GlobalProtect VPN portals probed with 2.3 million scan sessions
## Bill Toulas
Malicious scanning activity targeting Palo Alto Networks GlobalProtect VPN login portals has increased 40 times in 24 hours, indicating a coordinated campaign.
Real-time intelligence company GreyNoise reports that activity began climbing on November 14 and hit its highest level in 90 days within a week.
"GreyNoise has identified a significant escalation in malicious activity targeting Palo Alto Networks GlobalProtect portals," reads the bulletin .
"Beginning on 14 November 2025, activity rapidly intensified, culminating in a 40x surge within 24 hours, marking a new 90-day high."
In early October, GreyNoise reported a 500% increase in IP addresses scanning Palo Alto Networks GlobalProtect and PAN-OS prof
Wiz
Crying Out Cloud Newsletter - March 2025 | Wiz
blogs_wiz·2025-03-01·CVSS 9.8
CVE-2025-0108 [CRITICAL] Crying Out Cloud Newsletter - March 2025 | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks of cloud security highlights!
Hype or no hype – Authentication Bypass Vulnerability in PAN-OS Exploited in-the-Wild
Attackers are actively exploiting CVE-2025-0108, a high-severity authentication bypass vulnerability in Palo Alto Networks PAN-OS firewalls. The flaw allows unauthenticated attackers with network access to invoke PHP scripts and potentially compromise firewall integrity and confidentiality. Researchers at Assetnote disclosed exploitation details, and active attacks have been observed since February 13, 2025.
At first, the value of this vulnerability for attackers was slightly unclear, since it “
Bleepingcomputer
CISA flags Craft CMS code injection flaw as exploited in attacks
blogs_bleepingcomputer·2025-02-21·CVSS 6.9
CVE-2025-23209 [MEDIUM] CISA flags Craft CMS code injection flaw as exploited in attacks
## CISA flags Craft CMS code injection flaw as exploited in attacks
## Bill Toulas
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) warns that a Craft CMS remote code execution flaw is being exploited in attacks.
The flaw is tracked as CVE-2025-23209 and is a high severity (CVSS v3 score: 8.0) code injection (RCE) vulnerability impacting Craft CMS versions 4 and 5.
Craft CMS is a content management system (CMS) used for building websites and custom digital experiences.
Not many technical details about CVE-2025-23209 are available, but exploitation isn't easy, as it requires the installation's security key to have already been compromised.
In Craft CMS, the security key is a cryptographic key that secures user authentication tokens, session cookies, database values, and
Bleepingcomputer
Palo Alto Networks tags new firewall bug as exploited in attacks
blogs_bleepingcomputer·2025-02-19·CVSS 6.9
CVE-2025-0111 [MEDIUM] Palo Alto Networks tags new firewall bug as exploited in attacks
## Palo Alto Networks tags new firewall bug as exploited in attacks
## Bill Toulas
Palo Alto Networks warns that a file read vulnerability (CVE-2025-0111) is now being chained in attacks with two other flaws (CVE-2025-0108 with CVE-2024-9474) to breach PAN-OS firewalls in active attacks.
The vendor first disclosed the authentication bypass vulnerability tracked as CVE-2025-0108 on February 12, 2025, releasing patches to fix the vulnerability. That same day, Assetnote researchers published a proof-of-concept exploit demonstrating how CVE-2025-0108 and CVE-2024-9474 could be chained together to gain root privileges on unpatched PAN-OS firewalls.
A day later, network threat intel firm GreyNoise reported that threat actors had begun actively exploiting the flaws , with attempts coming from
Checkpoint
17th February – Threat Intelligence Report
blogs_checkpoint·2025-02-17
CVE-2025-0108 17th February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 17th February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 17th February, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
SimonMed Imaging, one of the largest diagnostic imaging companies in the US, has been breached by Medusa ransomware group, resulting in the theft of over 212 GB of sensitive data from its servers. The group demanded a $1 million ransom in Bitcoin and exposed private information of more than 132,000 individuals, includin
Bleepingcomputer
Hackers exploit authentication bypass in Palo Alto Networks PAN-OS
blogs_bleepingcomputer·2025-02-14·CVSS 8.8
CVE-2025-0108 [HIGH] Hackers exploit authentication bypass in Palo Alto Networks PAN-OS
## Hackers exploit authentication bypass in Palo Alto Networks PAN-OS
## Bill Toulas
Hackers are launching attacks against Palo Alto Networks PAN-OS firewalls by exploiting a recently fixed vulnerability (CVE-2025-0108) that allows bypassing authentication.
The security issue received a high-severity score and impacts the PAN-OS management web interface and allows an unauthenticated attacker on the network to bypass authentication and invoke certain PHP scripts, potentially compromising integrity and confidentiality.
In a security bulletin on February 12, Palo Alto Networks urges admins to upgrade firewalls to the versions below to address the issue:
11.2.4-h4 or later
11.1.6-h1 or later
10.2.13-h3 or later
10.1.14-h9 or later
PAN-OS 11.0 is also impacted but the product reached t
Greynoiseio
GreyNoise Observes Active Exploitation of PAN-OS Authentication Bypass Vulnerability (CVE-2025-0108)
blogs_greynoiseio·2025-02-13·CVSS 8.8
[HIGH] GreyNoise Observes Active Exploitation of PAN-OS Authentication Bypass Vulnerability (CVE-2025-0108)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
NoiseLetter February 2025
blogs_greynoiseio·CVSS 8.8
[HIGH] NoiseLetter February 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
Storm Watch
blogs_greynoiseio
Storm Watch
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://security.paloaltonetworks.com/CVE-2025-0108https://github.com/iSee857/CVE-2025-0108-PoChttps://slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os/https://www.bleepingcomputer.com/news/security/palo-alto-networks-tags-new-firewall-bug-as-exploited-in-attacks/https://www.darkreading.com/remote-workforce/patch-now-cisa-researchers-warn-palo-alto-flaw-exploited-wildhttps://www.securityweek.com/palo-alto-networks-confirms-exploitation-of-firewall-vulnerability/https://www.theregister.com/2025/02/19/palo_alto_firewall_attack/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0108
2025-02-12
Published
2025-02-18
Added to CISA KEV
Exploited in the wild