Palo Alto Networks, a prominent U.S. cybersecurity firm, has issued a warning that hackers are leveraging a newly discovered vulnerability in its firewall software to gain unauthorized access to customer networks that have not been patched.

The company confirmed on Tuesday that attackers are exploiting a vulnerability in PAN-OS, the operating system that powers its firewalls. This vulnerability is being actively exploited to target unpatched systems.

The cybersecurity firm Assetnote was the first to identify the vulnerability, which is tracked as CVE-2025-0108, during an analysis of earlier vulnerabilities in Palo Alto firewalls that had been exploited in previous attacks. The discovery was made earlier this month.

In response to the discovery, Palo Alto Networks released an advisory on the same day, urging its customers to apply a patch for the vulnerability as soon as possible. The company updated its advisory on Tuesday to reflect that the vulnerability is currently being exploited by attackers.

According to Palo Alto Networks, malicious actors are combining the newly discovered vulnerability with two previously disclosed flaws, specifically CVE-2024-9474 and CVE-2025-0111, to target the web management interfaces of PAN-OS that are not patched or secured. It’s worth noting that CVE-2024-9474 has been exploited in attacks since November 2024, as previously reported.

While the exact method by which the three vulnerabilities are being chained together by hackers has not been explained by Palo Alto Networks, the company has stated that the complexity of the attack is relatively low.

The full extent of the exploitation is not yet clear, but GreyNoise, a threat intelligence startup, observed that the number of IP addresses actively exploiting the PAN-OS vulnerability has increased from 2 to 25, indicating a rise in exploitation activity. GreyNoise has flagged these attempts as malicious, suggesting that they are being carried out by threat actors rather than security researchers.

GreyNoise has described the vulnerability as a high-severity flaw that allows unauthorized attackers to execute specific PHP scripts, potentially leading to unauthorized access to vulnerable systems.

The highest levels of attack traffic have been observed in the United States, Germany, and the Netherlands, according to GreyNoise.

At present, it is unknown who is responsible for these attacks or whether any sensitive data has been compromised from customer networks. Palo Alto Networks has not responded to requests for comment from TechCrunch.

CISA, the U.S. government’s cybersecurity agency, added the latest Palo Alto vulnerability to its catalog of Known Exploited Vulnerabilities (KEV) on Tuesday, highlighting the urgency of patching this vulnerability.