Palo Alto Networks has fixed a high-severity authentication bypass vulnerability (CVE-2025-0108) in the management web interface of its next-gen firewalls, a proof-of-concept exploit (PoC) for which has been made public.
“Palo Alto Networks is not aware of any malicious exploitation of this issue,” the company says.
Fixed PAN-OS vulnerabilities (and unexpected reboots)
CVE-2025-0108 was discovered by Assetnote researchers aftey they decided to analyze the patches for CVE-2024-0012 and CVE-2024-9474, which have been exploited by attackers to compromise over 2,000 PAN firewalls in November 2024.
“As we looked further into the architecture of the management interface, we suspected something was off, even post-patch,” Assetnote researcher Adam Kues explained.
A deeper probe revealed exploitable variations in how three components – Nginx, Apache, and the PHP application – handle web requests to the management interface.
The exploit workflow (Source: Assetnote)
As noted by Assetnote’s CTO Shubham Shah, this vulnerability is a distinct security flaw from the recently patched vulnerabilities, but stems from similar architectural design choices.
After exploiting the flaw, attackers may invoke certain PHP scripts. “While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS,” Palo Alto Networks confirmed.
CVE-2025-0108 has been fixed in PAN-OS versions 11.2.4-h4 and later, 11.1.6-h1 and later, 10.2.13-h3 and later, and 10.1.14-h9 and later.
Those updates also contain fixes for CVE-2025-0111, an authenticated file read vulnerability, and CVE-2025-0109, an unauthenticated file deletion vulnerability, both in the firewalls’ management web interface.
Admins are advised to test and implement the updates, but to also prioritize disabling access to the management interface from the internet or any untrusted network and allowing access only from trusted internal IP addresses. This may not be always possible, but taking that step reduces the risk of exploitation of these and other vulnerabilities.
As a sidenote: if some of your PAN firewalls have lately unexpectedly rebooted for no apparent reason, be advised that it’s not due to an attack, but a bug in version 11.1.4-h7/h9 of PAN-OS that is triggered when certain traffic conditions are met.
“The hotfix 11.1.4-h12, which resolves the unexpected reboot issue, was initially shipped with limited availability on January 31. This version was made available to customers requiring immediate resolution, accessible through their account team,” a spokesperson told The Register.
“We are currently validating an additional unrelated regression fix in hotfix 11.1.4-h13. Our goal is to release this as a generally available (GA) update by February 20 or sooner.”
Other PAN fixes
On Wednesday, Palo Alto Networks has also pushed out security updates for:
None of the vulnerabilities fixed in this round of updates is known to have been leveraged by attackers in the wild.