Palo Alto Networks has recently addressed a high-severity security vulnerability in its PAN-OS software, which could potentially lead to an authentication bypass.
This vulnerability, identified as CVE-2025-0108, has a CVSS score of 7.8 out of 10.0. However, if access to the management interface is restricted to a jump box, the score decreases to 5.1.
According to Palo Alto Networks, “An authentication bypass in the Palo Alto Networks PAN-OS software allows an unauthenticated attacker with network access to the management web interface to bypass the authentication required by the PAN-OS management web interface and invoke specific PHP scripts.” This was stated in an advisory released by the company.
While invoking these PHP scripts does not enable remote code execution, it can still have negative impacts on the integrity and confidentiality of PAN-OS.
The following versions are affected by the vulnerability:
- PAN-OS 11.2 < 11.2.4-h4 (resolved in version 11.2.4-h4 and later)
- PAN-OS 11.1 < 11.1.6-h1 (resolved in version 11.1.6-h1 and later)
- PAN-OS 11.0 (users should upgrade to a supported fixed version, as it has reached end-of-life status on November 17, 2024)
- PAN-OS 10.2 < 10.2.13-h3 (resolved in version 10.2.13-h3 and later)
- PAN-OS 10.1 < 10.1.14-h9 (resolved in version 10.1.14-h9 and later)
According to Adam Kues, a security researcher at Searchlight Cyber/Assetnote who discovered and reported the flaw, the issue is due to a discrepancy in how the interface’s Nginx and Apache components handle incoming requests, resulting in a directory traversal attack. More information can be found on the Searchlight Cyber blog.
Palo Alto Networks has also released updates to address two other vulnerabilities:
- CVE-2025-0109 (CVSS score: 5.5) – An unauthenticated file deletion vulnerability in the Palo Alto Networks PAN-OS management web interface that allows an attacker with network access to delete specific files, including limited logs and configuration files (resolved in PAN-OS versions 11.2.4-h4, 11.1.6-h1, 10.2.13-h3, and 10.1.14-h9)
- CVE-2025-0110 (CVSS score: 7.3) – A command injection vulnerability in the Palo Alto Networks PAN-OS OpenConfig plugin that enables an authenticated administrator to bypass system restrictions and execute arbitrary commands (resolved in PAN-OS OpenConfig Plugin version 2.1.2)
To mitigate the risks associated with the vulnerability, it is highly recommended to disable access to the management interface from the internet or any untrusted network. Customers who do not use OpenConfig can choose to disable or uninstall the plugin from their instances.
CVE-2025-0108 Under Active Exploitation
Threat intelligence firm GreyNoise has warned that malicious actors are actively attempting to exploit a newly patched authentication bypass flaw in Palo Alto Networks PAN-OS. According to data shared by the company, exploitation attempts have originated from five unique IP addresses located in the United States, China, and Israel.
“This high-severity flaw allows unauthenticated attackers to execute specific PHP scripts, potentially leading to unauthorized access to vulnerable systems,” said security researcher Noah Stone in a blog post.
