Dive Brief:
- Palo Alto Networks warned that threat actors are working to exploit an authenticated file read vulnerability in its firewalls in an attack chain that involves two previously disclosed flaws.
- The file read vulnerability, tracked as CVE-2025-0111, allows an authenticated actor with network access to the management web interface to read files in the PAN-OS operating system that are readable by the “nobody” user.
- The company warned it has seen threat actors attempt to chain the file read flaw with an authentication bypass vulnerability, tracked as CVE-2025-0108, disclosed earlier this month. The authentication bypass flaw has also been chained together with CVE-2024-9474, a privilege escalation vulnerability disclosed in November.
Dive Insight:
The development of an attack chain is not entirely surprising, as threat actors were already chaining two of the prior vulnerabilities, in previously disclosed exploitation attempts.
Researchers at AssetNote had previously discovered the authentication bypass vulnerability while investigating CVE-2024-9474, which emerged in exploitation activity seen in November.
The file read vulnerability was discovered by Palo Alto Networks researchers. They cautioned the risk is greatest if users directly enable access through a management interface or through a dataplane interface that includes a management interface profile.
“Palo Alto Networks is urging customers to immediately patch two vulnerabilities in the PAN-OS web management interface CVE-2025-0108 and CVE-2025-0111,” a spokesperson said via email. “These vulnerabilities could allow unauthorized access to the management interface of affected firewalls, potentially leading to system compromise.”
The company declined to specify exactly how the attack chain due to security concerns, but they emphasized it is important to patch all identified vulnerabilities and said that CVEs are often more dangerous when combined.
The Cybersecurity and Infrastructure Security Agency added CVE-2025-0111 Thursday to its known exploited vulnerabilities catalog.
Palo Alto Networks said security teams can greatly reduce the risk of attack by only allowing trusted internal IP addresses to access the management interface.