U.S. CISA adds SonicWall SonicOS and Palo Alto PAN-OS flaws to its Known Exploited Vulnerabilities catalog
February 19, 2025
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds SonicWall SonicOS and Palo Alto PAN-OS vulnerabilities to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Apple iOS and iPadOS and Mitel SIP Phones vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.
The two vulnerabilities are:
- CVE-2025-0108 Palo Alto PAN-OS Authentication Bypass Vulnerability
- CVE-2024-53704 SonicWall SonicOS SSLVPN Improper Authentication Vulnerability
Researchers recently warned that threat actors exploit a recently disclosed vulnerability, CVE-2025-0108, in Palo Alto Networks PAN-OS firewalls.
The Shadowserver Foundation researchers observed several CVE-2025-0108 attempts since 4 am UTC 2024-02-13 in their honeypots. The experts said that the malicious traffic was originated from 19 IPs seen, attackers attempted to use a recently published PoC exploit code for this vulnerability (with a few creative exceptions).
Cybersecurity firm GreyNoise also confirmed that threat actors attempted to exploit the flaw.
“GreyNoise can confirm active exploitation of CVE-2025-0108.” states GreyNoise. “Organizations relying on PAN-OS firewalls should assume that unpatched devices are being targeted and take immediate steps to secure them. “
“An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts. reads the advisory published by Palo Alto Networks. the While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS.“
The flaw resides in the PAN-OS management web interface. An unauthenticated attacker on the network couple exploit the vulnerability to bypass authentication and invoke certain PHP scripts.
The company warns that the risk is higher if the management interface is accessible from the internet or an untrusted network, directly or via a dataplane interface with a management profile. The security vendor recommends restricting access to trusted internal IP addresses to minimize the risk of exploitation.
The following versions address the vulnerability:
Cybersecurity firm Assetnote discovered the vulnerability and published a detailed analysis of the issue.
The researchers demonstrated that attackers can exploit the flaw to extract data from vulnerable devices, including firewall configurations.
Assetnote states that CVE-2025-0108 exploits improper URL decoding in PAN-OS firewalls, allowing attackers to bypass authentication. The root cause of the issue is that Nginx and Apache handle encoded paths differently, leading to directory traversal and unauthorized execution of PHP scripts. Since Nginx disables authentication for certain paths, attackers can access the PAN-OS management interface without credentials, resulting in a full authentication bypass.
“we have explored a suspicious (and quite common) architecture where authentication is enforced at a proxy later but then the request is passed through a second layer with different behavior.” reads the report published by Assetnote. “Fundamentally, these sorts of architectures lead to things like header smuggling and path confusion, which can result in many impactful bugs!”
In early January, SonicWall urged customers to upgrade the SonicOS firmware of their firewalls to patch an authentication bypass vulnerability tracked as CVE-2024-53704 (CVSS score of 8.2). The vulnerability resides in SSL VPN and SSH management and according to the vendor is “susceptible to actual exploitation.”
“We have identified a high (CVE Score 8.2) firewall vulnerability that is susceptible to actual exploitation for customers with SSL VPN or SSH management enabled and that should be mitigated immediately by upgrading to the latest firmware, which will be web-posted tomorrow, Jan 7th, 2025. The same firmware upgrade contains mitigations for additional, less-critical vulnerabilities.” reads the notification sent by the company to the customers via email.
“The list of all security advisories and the associated list of vulnerabilities is below. Again, this upgrade addresses a high vulnerability for SSL VPN users that should be considered at imminent risk of exploitation and updated immediately.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by March 11, 2025.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, CISA)