Palo Alto Networks Confirms Exploitation of Firewall Vulnerability – Source: www.securityweek.com

Palo Alto Networks has confirmed for SecurityWeek that a recently patched firewall vulnerability tracked as CVE-2025-0108 is being actively exploited.

The existence of CVE-2025-0108 came to light on February 12, when Palo Alto Networks announced the availability of patches and mitigations. The PAN-OS authentication bypass flaw allows an unauthenticated attacker to gain access to the targeted device’s management interface and execute certain PHP scripts. 

On the same day, Assetnote, whose researchers discovered the issue, disclosed technical details of the vulnerability.

Threat intelligence firm GreyNoise detected the first attempts to exploit CVE-2025-0108 on February 13. It’s unclear what the attackers are doing, but the company classified the activity as ‘malicious’, which indicates that threat actors are trying to exploit the vulnerability, rather than the cybersecurity community conducting tests to determine the prevalence of affected devices. 

As of Tuesday, February 18, GreyNoise has seen attack attempts coming from nearly 30 unique IP addresses.

Palo Alto Networks told SecurityWeek late on Monday that the security of customers is its top priority and confirmed reports of active exploitation. The company also updated its advisory early on Tuesday morning to mention in-the-wild exploitation. 

In its disclosure, Assetnote pointed out that CVE-2025-0108 can be chained with a separate vulnerability — such as the actively exploited CVE-2024-9474 — for remote code execution.

CVE-2024-9474 was patched in November 2024 and it has been exploited alongside CVE-2024-0012, an authentication bypass flaw that is similar to CVE-2025-0108.

Palo Alto Networks confirmed to SecurityWeek on Monday that CVE-2025-0108 can be chained with vulnerabilities such as CVE-2024-9474, allowing unauthorized access to unpatched and unsecured firewalls. 

The company noted in its updated advisory that a PoC exploit for CVE-2025-0108 is publicly available.

“Palo Alto Networks has observed exploit attempts that utilize the PoC, chaining it with the exploit for CVE-2024-9474 on unpatched and unsecured PAN-OS web management interfaces,” it said.

It’s unclear if Palo Alto is referring to the exploit information released by Assetnote or a different PoC. We have seen several PoC exploits apparently designed to target CVE-2025-0108.

“We are urging all customers with internet-facing PAN-OS management interfaces to immediately apply the security updates released on February 12, 2025,” Palo Alto said in an emailed statement. “Securing external-facing management interfaces is a fundamental security best practice, and we strongly encourage all organizations to review their configurations to minimize risk.”

The Shadowserver Foundation has also seen attempts to exploit CVE-2025-0108 using an unspecified, publicly available PoC. The non-profit cybersecurity organization warned that roughly 3,500 PAN-OS management interfaces had been exposed to the web as of February 14.

Asked whether its disclosure of technical details may have made it easier for threat actors to exploit CVE-2025-0108, Assetnote told SecurityWeek that public disclosure was coordinated with Palo Alto Networks’ security team. The company also noted that attackers can typically reverse engineer patches fairly easily.

“Our research post is in efforts to help defenders understand how the vulnerability works so they can find any intrusion attempts and, therefore, for the security community to see if there has been exploitation in the wild. Otherwise, we would all be operating in the dark,” Assetnote said.

Related: Palo Alto Networks Addresses Impact of BIOS, Bootloader Vulnerabilities on Its Firewalls

Related: Palo Alto Networks Patches Firewall Zero-Day Exploited for DoS Attacks

Related: Palo Alto Networks Patches High-Severity Vulnerability in Retired Migration Tool