- Palo Alto Networks fixes authentication bypass PAN-OS flaw
- A day after the patch was released, criminals started looking for vulnerable endpoints
- The flaw allows them to run different PHP scripts
A vulnerability in Palo Alto Networks firewalls is being abused in in-the-wild attacks, researchers are saying.
The company recently found, and fixed, an authentication bypass vulnerability in its PAN-OS firewalls. The flaw, tracked as CVE-2025-0108, has a severity score of 8.8/10 (high), and was said to affect multiple versions of the product.
It released a fix on February 12, 2025, urging users to upgrade their firewalls to these versions:
11.2.4-h4 or later
11.1.6-h1 or later
10.2.13-h3 or later
10.1.14-h9 or later
Exploit attempts
The vulnerability impacts the PAN-OS management web interface, and allows malicious actors to run different PHP scripts. This, in turn enables sensitive data exfiltration, firewall configuration tampering, and more.
Now, researchers from the security outlet GreyNoise said they observed attempts to exploit the flaw on unpatched endpoints. The attacks, they said, started a day after Palo Alto Networks released the patch (February 13), and came from multiple IP addresses, which could suggest that more attackers picked up on the vulnerability at the same time.
Citing information from Macnica researcher Yutaka Sejiyama, BleepingComputer reported that the attack surface likely counts more than 4,400 devices.
To protect the firewalls, users should apply the patch as soon as possible, and restrict access to the product’s interface, as soon as possible.
Firewalls used by SMBs are often targets because these types of businesses typically have weaker security configurations and outdated firmware. Many SMBs lack dedicated IT teams, leading to misconfigured firewall rules that create vulnerabilities. Furthermore, threat actors can use firewalls as entry points to bypass network defenses and gain deeper access to internal systems. Once compromised, firewalls can be used to intercept sensitive data, launch further attacks, or disable security measures altogether.
Edit, February 18 - After the publication of the story, a Palo Alto Networks spokesperson reached out with the following statement:
"The security of our customers is our top priority. Palo Alto Networks has confirmed reports of active exploitation targeting a vulnerability (CVE-2025-0108) in the PAN-OS web management interface. This vulnerability, chained with other vulnerabilities like CVE-2024-9474, could allow unauthorized access to unpatched and unsecured firewalls.
We are urging all customers with internet-facing PAN-OS management interfaces to immediately apply the security updates released on February 12, 2025. Securing external-facing management interfaces is a fundamental security best practice, and we strongly encourage all organizations to review their configurations to minimize risk.
Detailed information and mitigation guidance are available in the CVE-2025-0108 security advisory: https://security.paloaltonetworks.com/CVE-2025-0108"
Via BleepingComputer
You might also like
- A critical Palo Alto Networks bug is being hit by cyberattacks, so patch now
- We've rounded up the best password managers
- Take a look at our guide to the best authenticator app
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
