Palo Alto warns another major firewall hack has been detected

News
By
last updated

Hackers are chaining three flaws to mount attacks on PAN-OS firewalls

The best free firewall
(Image credit: Shutterstock)
  • Palo Alto Networks is warning of an ongoing attack against its firewalls
  • The threat actors are chaining multiple flaws together
  • The goal is to download configuration files

Palo Alto Networks has warned its users of an ongoing attack that chains multiple vulnerabilities together to download configuration files and other sensitive information.

The cybersecurity company warned its users about CVE-2025-0111, a 7.1/10 (high-severity) file read vulnerability plaguing PAN-OS firewalls. This bug allows an authenticated attacker with network access to access the management web interface and read files usually readable by the “nobody” user.

The bug was fixed on February 12, 2025, when Palo Alto released a fix and urged users to apply it.

Diversion

On the same day, the company addressed a separate vulnerability, tracked as CVE-2025-0108. This one is an authentication bypass in PAN-OS that enables an unauthenticated attacker with network access to the web interface to bypass the authentication otherwise required by the PAN-OS interface, and invoke certain PHP scripts.

Finally, in mid-November 2024, Palo Alto fixed a privilege escalation bug tracked as CVE-20204-9474. Now, researchers are saying that these three are being chained together in ongoing attacks.

"Palo Alto Networks has observed exploit attempts chaining CVE-2025-0108 with CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces," it was said in the security advisory.

The company did not discuss the details of the attack, but BleepingComputer found that they are being used to download configuration files and other sensitive information.

So far, at least 25 different IP addresses were observed targeting CVE-2025-0108, up from just two a week ago. The top sources of the attacks seem to be the US, Germany, and the Netherlands, although this doesn’t necessarily mean the threat actors are located there.

While the community rushes to apply the patch and mitigate potential risks, the US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-0108 to its 'Known Exploited Vulnerabilities' (KEV) catalog, giving users until March 11 to patch up.

Edit, February 21 - Following the publication of the story, a Palo Alto Networks representative reached out with the following statement:

"Palo Alto Networks is urging customers to immediately patch two vulnerabilities in the PAN-OS web management interface - CVE-2025-0108 and CVE-2025-0111 . These vulnerabilities could allow unauthorized access to the management interface of affected firewalls, potentially leading to system compromise. Exploitation attempts for CVE-2025-0108, which has a publicly available proof-of-concept exploit, have been observed chaining it with CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces. We continue to monitor the situation and leverage the currently operational mechanisms to detect customer compromises in telemetry and TSFs and support them through the EFR remediations

Customers with any internet-facing PAN-OS management interfaces are strongly urged to take immediate action to mitigate these vulnerabilities. Securing external-facing management interfaces is a fundamental security best practice, and we strongly encourage all organizations to review their configurations to minimize risk.

Immediate Actions:

Patch Now: Download and install the latest PAN-OS updates as described in the respective security advisories:

CVE-2025-0108: https://security.paloaltonetworks.com/CVE-2025-0108 
CVE-2025-0111: https://security.paloaltonetworks.com/CVE-2025-0111 

Restrict Access: If patching is not immediately possible, immediately restrict management interface access to only trusted internal IP addresses.
Enable Threat Prevention: Customers with a Threat Prevention subscription should enable Threat IDs 510000 and 510001 to block attacks exploiting these vulnerabilities.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

More about security
healthcare

Over a million clinical records exposed in data breach
QR Code

Hackers are targeting Signal with new QR code-linked cyberattack
An Apple Watch, iPhone and AirPods on the Journey Glyde 4-in-1 travel charger

I took the Journey Glyde on a four-week overseas trip and it barely kept up with my adventures
See more latest