Palo Alto Networks has released a patch for a high-severity authentication bypass vulnerability, identified as CVE-2025-0108, affecting their PAN-OS software. GreyNoise has observed active exploitation attempts targeting this vulnerability.
The flaw allows unauthenticated attackers to bypass the authentication required by the PAN-OS management web interface and invoke certain PHP scripts.
While this doesn’t enable remote code execution, it can negatively impact the integrity and confidentiality of PAN-OS.
PAN-OS Authentication Bypass CVE-2025-0108
The vulnerability, which has a CVSS score of 7.8, was discovered by Assetnote researchers while analyzing patches for previously exploited vulnerabilities CVE-2024-0012 and CVE-2024-9474.
The vulnerability originates from a path confusion issue between PAN-OS’s Nginx reverse proxy and Apache web server components.
Attackers craft malicious HTTP requests with multi-layered URL encoding, causing Nginx to incorrectly flag the request as non-sensitive (via the X-pan-AuthCheck: off header) while Apache processes it as a legitimate, authenticated request. This discrepancy allows attackers to:
- Access restricted PHP scripts.
- Compromise configuration integrity and confidentiality.
- Exploit other vulnerabilities requiring authentication.
Palo Alto Networks rates the flaw as CVSS 7.8–8.8, depending on network exposure. The severity drops to 5.9 if management interfaces are restricted to trusted IPs.
Active Exploitation and Proof-of-Concept
GreyNoise has observed widespread exploitation attempts in the wild, with attackers leveraging available proof-of-concept (PoC) exploits.
While the vulnerability does not enable direct remote code execution, compromised scripts could facilitate:
- Data exfiltration.
- Log manipulation.
- Deployment of secondary attacks.
Vulnerable PAN-OS versions include:
- 11.2 versions < 11.2.4-h4
- 11.1 versions < 11.1.6-h1
- 10.2 versions < 10.2.13-h3
- 10.1 versions < 10.1.14-h9
Cloud NGFW and Prisma Access are unaffected.
Mitigations:
- Immediate Patching: Upgrade to fixed PAN-OS versions.
- Network Hardening: Restrict management interface access to trusted IPs via firewall rules or VPNs.
- Monitoring: Use tools like GreyNoise to track exploitation trends.
Palo Alto Networks has not confirmed malicious exploitation but urges customers to prioritize updates. Assetnote’s Adam Kues emphasized that the flaw’s root cause, inconsistent request handling between Nginx and Apache, highlights risks in multi-layer authentication architectures.
GreyNoise Labs warned, “Organizations must assume unpatched devices are actively targeted. Exposure of management interfaces significantly amplifies attack surfaces”.
CVE-2025-0108 joins a growing list of PAN-OS vulnerabilities exploited in rapid succession. With attackers already weaponizing the flaw, enterprises must act swiftly to patch and isolate management interfaces.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar