Exploitation of Palo Alto Networks–CVE-2025-108

Executive Summary

On February 12, 2025, a critical authentication bypass vulnerability, CVE-2025-0108, was discovered in Palo Alto’s PAN-OS. With a common vulnerability score of 8.8, the vulnerability allows attackers to execute PHP scripts on affected PAN-OS. Previous exploits, CVE-2025-9474 and CVE-2025-0111, relate to this vulnerability. Patches have been made available for remediation.

Background

PAN-OS, the software running on the firewalls of Palo Alto Networks (PAN), has been involved in a series of exploit attacks with observed similar patterns prior to CVE-2025-0108 [5]. The first, CVE-2024-9474, has a privilege escalation vulnerability, and the second, CVE-2025-0111, has a file read vulnerability [6]. Although patches have been made, especially for CVE-2024-9474 in November 2024. About 65% of devices running PAN-OS have not been fully patched as of February 2025. The users may be unaware of the newly disclosed vulnerabilities along with their ongoing active attacks.

Exploitation

CVE-2025-0108 comes from absent authentication, a critical security mechanism that requires verifying user identity to gain authorized privilege access [3]. Because this is missing in the PAN-OS web management interface, authentication can be bypassed. The vulnerable interface is managed by Nginx, Apache, and PHP. The issue lies when web requests are processed differently between the Nginx and Apache proxies. Path traversal attacks are possible when attackers trick Nginx to disable authentication and have Apache execute unauthorized PHP scripts [2]. 

Significance and Impact

Unpatched PAN-OS versions have been repeatedly exploited. With the number of attacks increasing, users remain exposed with vulnerable firewalls. This allows attackers to run PHP scripts and gain unauthorized access to sensitive data or root privileges, leading to system compromise. This threatens confidentiality and integrity, and can potentially lead to loss in customer confidence and revenue [4].

Mitigation

To mitigate the risks associated with CVE-2025-0108, users should apply the latest security updates, whitelist trusted IP addresses to allow necessary access, and implement additional security measures such as enforcing password complexity and multi-factor authentication [1]. Additionally, limiting internet exposure to management consoles reduces remote attacks. Having management interfaces private isn’t enough to stay protected against exposure, as risks come from misconfigured systems, compromised networks, and insider threats. PAN is currently working on additional fixes.

Conclusion

Past exploitations, including CVE-2025-0108, have allowed PAN to address the vulnerabilities in PAN-OS. Many devices are still running unpatched versions. These systems remain at risk. PAN will continue to apply additional fixes to their systems.

References

[1] National Institute of Standards and Technology. (2025, February 12). “CVE-2025-0108.” National Vulnerability Database. https://nvd.nist.gov/vuln/detail/CVE-2025-0108

[2] Kues, A. (2025, February 12). “Nginx/Apache Path Confusion to Auth Bypass in PAN-OS (CVE-2025-0108).” SearchLight Cyber. https://slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os/

[3] MITRE. (2006, July 19). “CWE-306: Missing Authentication for Critical Function.” MITRE. https://cwe.mitre.org/data/definitions/306.html

[4] Palo Alto Networks. (2025, February 12). “CVE-2025-0108 PAN-OS: Authentication Bypass in the Management Web Interface.” Palo Alto Networks Security Advisories. https://security.paloaltonetworks.com/CVE-2025-0108

[5] Thomson, I. (2025, February 19). “Palo Alto firewalls under attack as miscreants chain flaws for root access.” The Register. https://www.theregister.com/2025/02/19/palo_alto_firewall_attack/

[6] Toulas, B. (2025, February 19). “Palo Alto Networks tags new firewall bug as exploited in attacks.” BleepingComputer. https://www.bleepingcomputer.com/news/security/palo-alto-networks-tags-new-firewall-bug-as-exploited-in-attacks/