cbcvebase.
CVE-2025-0108
published 2025-02-12

CVE-2025-0108: An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to…

PriorityP199critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-03-11
Exploited in the wild
EPSS
98.34%
99.9th percentile
An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts. While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS. You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue does not affect Cloud NGFW or Prisma Access software.

Affected

25 ranges
VendorProductVersion rangeFixed in
palo_alto_networkspan-os>= 10.1.0 < 10.1.14-h910.1.14-h9
palo_alto_networkspan-os>= 10.2.0 < 10.2.7-h2410.2.7-h24
palo_alto_networkspan-os>= 11.1.0 < 11.1.6-h111.1.6-h1
palo_alto_networkspan-os>= 11.2.0 < 11.2.4-h411.2.4-h4
paloaltocloud_ngfw
paloaltopan-os
paloaltoprisma_access
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os>= 10.1.0 < 10.1.1410.1.14
paloaltonetworkspan-os>= 10.2.0 < 10.2.710.2.7
paloaltonetworkspan-os>= 11.1.0 < 11.1.211.1.2
paloaltonetworkspan-os>= 11.2.0 < 11.2.411.2.4

Detection & IOCsextracted from sources · hover to see the quote

url/global-protect/login.esp
otherAS200373 (3xK Tech GmbH)
otherAS208885 (Noyobzoda Faridduni Saidilhom)
  • CVE-2025-0108 exploits a path confusion between Nginx and Apache in PAN-OS to bypass authentication on the management web interface; monitor for unexpected requests to PHP scripts on the PAN-OS management interface from unauthenticated sources.
  • Active exploitation of CVE-2025-0108 began on February 13, 2025 at 17:00 UTC; use this timestamp to scope log reviews for initial compromise indicators.
  • CVE-2025-0108 is being chained with CVE-2024-9474 (privilege escalation to root) and CVE-2025-0111 (authenticated file read); detect multi-stage exploitation by correlating auth bypass attempts with subsequent file read and privilege escalation activity on the same management interface.
  • The exploit chain (CVE-2025-0108 + CVE-2025-0111 + CVE-2024-9474) can be used to download configuration files and other sensitive information; alert on unusual outbound transfers of configuration data from PAN-OS management interfaces.
  • GreyNoise released a dedicated tag 'Palo Alto PANOS CVE20250108 Auth Bypass Attempt' for real-time detection of exploitation attempts; subscribe to this tag for automated alerting.
  • Scanning spikes targeting GlobalProtect/PAN-OS management interfaces historically precede new vulnerability disclosures in 80% of cases; treat surges in /global-protect/login.esp traffic as a leading indicator of imminent exploitation.
  • Recurring TCP/JA4t fingerprints and reuse of the same ASNs across scanning campaigns can be used to cluster and attribute related exploitation activity against PAN-OS management interfaces.
  • ·CVE-2025-0108 does not affect Cloud NGFW or Prisma Access; scope detection and patching efforts to on-premises PAN-OS deployments only.
  • ·PAN-OS 11.0 is end-of-life and will not receive a patch for CVE-2025-0108; devices on this version remain permanently vulnerable unless upgraded to a supported release.
  • ·As of the reporting period, the vast majority of internet-exposed PAN-OS management interfaces remained unpatched; 65% (2,262 of 3,490 surveyed devices) were vulnerable to all three chained CVEs.
  • ·CVE-2025-0108 alone does not enable remote code execution; full system compromise requires chaining with CVE-2024-9474 (privilege escalation) and/or CVE-2025-0111 (file read).

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.08.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Red
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.