The United States Cybersecurity and Infrastructure Security Agency (CISA) has added two security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, following evidence of active exploitation. The agency announced this addition on Tuesday.
The vulnerabilities in question are:
- CVE-2025-0108 (CVSS score: 7.8) – This is an authentication bypass vulnerability in the Palo Alto Networks PAN-OS management web interface, which allows an unauthenticated attacker with network access to bypass the required authentication and invoke specific PHP scripts.
- CVE-2024-53704 (CVSS score: 8.2) – This is an improper authentication vulnerability in the SSLVPN authentication mechanism, which enables a remote attacker to bypass authentication.
Palo Alto Networks confirmed to The Hacker News that it has observed active exploitation attempts against CVE-2025-0108. The company noted that this vulnerability could be chained with other vulnerabilities, such as CVE-2024-9474, to allow unauthorized access to unpatched and unsecured firewalls.
“We have observed exploit attempts chaining CVE-2025-0108 with CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces,” the company stated in an updated advisory.
Threat intelligence firm GreyNoise reported that as many as 25 malicious IP addresses are actively exploiting CVE-2025-0108, with the volume of attacker activity surging 10 times since its detection nearly a week ago. The top three sources of attack traffic are the United States, Germany, and the Netherlands.
Regarding CVE-2024-53704, cybersecurity company Arctic Wolf revealed that threat actors are weaponizing the flaw shortly after a proof-of-concept (PoC) was made available by Bishop Fox.
In response to the active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to remediate the identified vulnerabilities by March 11, 2025, to secure their networks.
