Palo Alto warns another major firewall hack has been detected

News
By last updated

Hackers are chaining three flaws to mount attacks on PAN-OS firewalls

The best free firewall
(Image credit: Shutterstock)
  • Palo Alto Networks is warning of an ongoing attack against its firewalls
  • The threat actors are chaining multiple flaws together
  • The goal is to download configuration files

Palo Alto Networks has warned its users of an ongoing attack that chains multiple vulnerabilities together to download configuration files and other sensitive information.

The cybersecurity company warned its users about CVE-2025-0111, a 7.1/10 (high-severity) file read vulnerability plaguing PAN-OS firewalls. This bug allows an authenticated attacker with network access to access the management web interface and read files usually readable by the “nobody” user.

The bug was fixed on February 12, 2025, when Palo Alto released a fix and urged users to apply it.

Diversion

On the same day, the company addressed a separate vulnerability, tracked as CVE-2025-0108. This one is an authentication bypass in PAN-OS that enables an unauthenticated attacker with network access to the web interface to bypass the authentication otherwise required by the PAN-OS interface, and invoke certain PHP scripts.

Finally, in mid-November 2024, Palo Alto fixed a privilege escalation bug tracked as CVE-20204-9474. Now, researchers are saying that these three are being chained together in ongoing attacks.

"Palo Alto Networks has observed exploit attempts chaining CVE-2025-0108 with CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces," it was said in the security advisory.

The company did not discuss the details of the attack, but BleepingComputer found that they are being used to download configuration files and other sensitive information.

So far, at least 25 different IP addresses were observed targeting CVE-2025-0108, up from just two a week ago. The top sources of the attacks seem to be the US, Germany, and the Netherlands, although this doesn’t necessarily mean the threat actors are located there.

While the community rushes to apply the patch and mitigate potential risks, the US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-0108 to its 'Known Exploited Vulnerabilities' (KEV) catalog, giving users until March 11 to patch up.

Edit, February 21 - Following the publication of the story, a Palo Alto Networks representative reached out with the following statement:

"Palo Alto Networks is urging customers to immediately patch two vulnerabilities in the PAN-OS web management interface - CVE-2025-0108 and CVE-2025-0111 . These vulnerabilities could allow unauthorized access to the management interface of affected firewalls, potentially leading to system compromise. Exploitation attempts for CVE-2025-0108, which has a publicly available proof-of-concept exploit, have been observed chaining it with CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces. We continue to monitor the situation and leverage the currently operational mechanisms to detect customer compromises in telemetry and TSFs and support them through the EFR remediations

Customers with any internet-facing PAN-OS management interfaces are strongly urged to take immediate action to mitigate these vulnerabilities. Securing external-facing management interfaces is a fundamental security best practice, and we strongly encourage all organizations to review their configurations to minimize risk.

Immediate Actions:

Patch Now: Download and install the latest PAN-OS updates as described in the respective security advisories:

CVE-2025-0108: https://security.paloaltonetworks.com/CVE-2025-0108 
CVE-2025-0111: https://security.paloaltonetworks.com/CVE-2025-0111 

Restrict Access: If patching is not immediately possible, immediately restrict management interface access to only trusted internal IP addresses.
Enable Threat Prevention: Customers with a Threat Prevention subscription should enable Threat IDs 510000 and 510001 to block attacks exploiting these vulnerabilities.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
The best free firewall
Palo Alto Networks PAN-OS sees authentication bypass under attack from hackers
Best free Linux firewalls
Palo Alto firewalls have some worrying serious flaws
Best free Linux firewalls
Fortinet warns a critical vulnerability in its systems could let attackers breach company networks
A VPN runs on a mobile phone placed on a laptop keyboard
SonicWall firewalls hit by worrying cyberattack
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
Best free Linux firewalls
SonicWall tells admins to patch worrying SSLVPN flaw immediately
Latest in Security
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Latest in News
Zendesk Relate 2025
Zendesk Relate 2025 - everything you need to know as the event unfolds
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Google Gemini AI
Gemini can now see your screen and judge your tabs
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Philips Hue
Philips Hue might be working on a video doorbell, and according to a new report, we just got our first look at it
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
More about security
An abstract image of digital security.

Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft

"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
AMD Ryzen 9950X

I analyzed 25 AMD Zen 4 and Zen 5 CPUs and the Ryzen 9 9900X is the best of them all right now: Here’s why
See more latest
Most Popular
AMD Ryzen 9950X
I analyzed 25 AMD Zen 4 and Zen 5 CPUs and the Ryzen 9 9900X is the best of them all right now: Here’s why
Ugreen \00d7 Genshin Impact Kinich Collectible Gift Box and exclusive Genshin Impact merchandise.
Ugreen reveals exclusive Genshin Impact collection and they're some of the most eye-catching charging products I've ever used
Zendesk Relate 2025
Zendesk Relate 2025 - everything you need to know as the event unfolds
Google Gemini AI
Gemini can now see your screen and judge your tabs
iFi iDSD Valkyrie in gold, on a beige desk
iFi's iDSD Valkyrie DAC wants to guide your music to the great hall of Valhalla
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
A fresh Samsung Galaxy S25 Edge leak hints at a 2K display and a titanium frame
Philips Hue
Philips Hue might be working on a video doorbell, and according to a new report, we just got our first look at it
SDUNITED AX835-025FF mini PC
This mini PC with the incredible Strix Halo APU is yet another sign AMD may have given up on big brands for bleeding edge tech
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now