Palo Alto PAN-OS Authentication Bypass
What is the Vulnerability?A recent authentication bypass vulnerability (CVE-2025-0108) in the Palo Alto Networks PAN-OS software is under active exploitation as has been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog. Successful exploitation of CVE-2025-0108 enables an unauthenticated attacker with network access to the management web interface to bypass the authentication required by the PAN-OS…
What is the Vulnerability?A recent authentication bypass vulnerability (CVE-2025-0108) in the Palo Alto Networks PAN-OS software is under active exploitation as has been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog. Successful exploitation of CVE-2025-0108 enables an unauthenticated attacker with network access to the management web interface to bypass the authentication required by the PAN-OS management web interface and invoke certain PHP scripts that can impact its integrity and confidentiality. According to the vendor advisory, Palo Alto Networks has observed exploit attempts chaining CVE-2025-0108 with CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces. A detailed Outbreak report including the attack using CVE-2024-9474 was released in Nov 2024. See more details: Palo Alto Networks Management Interface Attack | Outbreak Alert | FortiGuard Labs-CVE-2024-9474 is an older OS command injection flaw that allows attackers to escalate their privileges and perform actions on the PAN firewall with root privileges. -CVE-2025-0111 is an authenticated file read vulnerability that allows attackers to read files on the PAN-OS filesystem that are readable by the “nobody” user.What is the recommended Mitigation?Palo Alto has released a fix and has provided recommended mitigation. Please review the provided links below. CVE-2025-0108 PAN-OS: Authentication Bypass in the Management Web Interface CVE-2025-0111 PAN-OS: Authenticated File Read Vulnerability in the Management Web Interface CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management InterfaceWhat FortiGuard Coverage is available?• FortiGuard Labs recommends users to apply the fix when provided by the vendor and follow any instructions as mentioned on the vendor`s advisory. • FortiGuard Labs has available IPS protection for CVE-2024-9474 and CVE-2025-0108.• FortiGuard Labs is reviewing IPS protections for CVE-2025-0111 and will update this Threat Signal report with updates when available. • FortiGuard Labs has blocked all the known Indicators of Compromise (IOCs) noted on the campaign. • The FortiGuard Incident Response team can be engaged to help with any suspected compromise.