Introduction to the Authentication Bypass Flaw

Attackers are actively exploiting an authentication bypass flaw in the Palo Alto Networks PAN-OS software. This flaw allows an unauthenticated attacker to bypass authentication on the interface and invoke certain PHP scripts.

Details of the Flaw

Both the Cybersecurity Infrastructure and Security Agency (CISA) and security researchers are warning of increasing attacker activity to exploit the flaw, tracked as CVE-2025-0108. The flaw was first revealed in a blog post on February 12 as a zero-day flaw by researchers at Searchlight Cyber AssetNote. PAN-OS is the operating system for Palo Alto’s firewall devices, and the flaw affects certain versions of PAN-OS v11.2, v11.1, v10.2, and v10.1. Patch information is available in Palo Alto’s security advisory on CVE-2025-0108, which is rated as 8.8 and is therefore of high severity on the CVSS.

Impact of the Flaw

The company warned that while the PHP scripts that can be invoked do not themselves enable remote code execution, exploiting the flaw "can negatively impact integrity and confidentiality of PAN-OS," potentially giving attackers access to vulnerable systems, where other bugs could be used to achieve further aims. Researchers observed attackers making exploit attempts by chaining CVE-2025-0108 with two other PAN-OS Web management interface flaws — CVE-2024-9474, a privilege escalation flaw, and CVE-2025-0111, an authenticated file read vulnerability — on unpatched and unsecured PAN-OS instances.

Active Exploitation of Palo Alto Firewalls

Threat actors are actively exploiting the flaw, with attacks on affected devices on the rise. As of February 18, 25 malicious IPs are actively exploiting CVE-2025-0108, up from merely two the day after its discovery was made public, according to researchers at GreyNoise. The top three countries for these attacks are the US, Germany, and the Netherlands. Organizations relying on PAN-OS firewalls should assume that unpatched devices are being targeted and take immediate steps to secure them.

Why CVE-2025-0108 in PAN-OS Exists

The flaw exists because of a common architecture present in PAN-OS, where authentication is enforced at a proxy layer, but then the request is passed through a second layer with different behavior. This can lead to header smuggling and path confusion, which can result in many impactful bugs. A Web request to the PAN-OS management interface is handled by three separate components: Nginx, Apache, and the PHP application itself. If there is a difference between what Nginx thinks the request looks like and what Apache thinks the request looks like, an authentication bypass can be achieved.

Eliminate Risk by Patching Auth Bypass Now

Palo Alto’s network devices are widely used, and flaws within them are often quickly set upon by attackers. The best way to eliminate the risk of exploitation completely is to apply Palo Alto’s updates to affected devices, according to the CISA and researchers. Affected organizations can also reduce this risk if network administrators ensure that only trusted internal IP addresses can access the management interface. Defenders can discover any assets that require remediation action by visiting the Assets section of the Customer Support Portal. Palo Alto also recommends that organizations whitelist IPs in the management interface to prevent this or similar vulnerabilities from being exploited over the Internet.