Cybersecurity experts have identified active exploitation of a critical vulnerability, CVE-2025-0108, in Palo Alto Networks PAN-OS firewalls. This flaw allows attackers to bypass authentication on the management web interface, posing significant risks to affected systems.

Details of the Vulnerability

The vulnerability resides in the PAN-OS management web interface, where an unauthenticated attacker can exploit it to bypass authentication and execute certain PHP scripts. Although this does not allow remote code execution, it compromises the integrity and confidentiality of the system.

Exploit Attempts Observed

Researchers from the Shadowserver Foundation have observed multiple attempts to exploit this vulnerability since February 13, 2024. These attempts originated from 19 different IP addresses, utilizing a recently published proof-of-concept exploit code.

  • Shadowserver Findings: Numerous exploit attempts detected in honeypots.
  • GreyNoise Confirmation: Active exploitation of the flaw confirmed.

Technical Analysis

According to cybersecurity firm Assetnote, the vulnerability stems from improper URL decoding in PAN-OS firewalls. This issue arises due to differences in how Nginx and Apache handle encoded paths, leading to directory traversal and unauthorized PHP script execution.

Root Cause and Impact

The root cause involves a common architecture where authentication is enforced at a proxy layer but bypassed at a secondary layer. This results in path confusion, allowing attackers to access the management interface without credentials.

Mitigation and Recommendations

Palo Alto Networks has released patches to address this vulnerability. It is crucial for organizations to update their systems to the latest versions to mitigate potential exploitation risks.

  • Patch Availability: Updates are available for PAN-OS versions 11.2, 11.1, 10.2, and 10.1.
  • Security Measures: Restrict access to the management interface to trusted internal IP addresses.
The link has been copied!