Exploits Hit Palo Alto CVE-2025-0108

Attackers are actively exploiting an authentication bypass vulnerability in several versions of Palo Alto Networks’ PAN-OS software, which runs on the company’s firewall appliances. Palo Alto disclosed the bug on Feb. 12 and released updated software to address it, but there was already a proof-of-concept exploit in the wild by that time. 

CVE: CVE-2025-0108

Why It Matters: PAN-OS runs the next-generation firewall (NGFW) appliances from Palo Alto Networks, which are widely deployed in enterprises. This vulnerability enables an attacker to bypass authentication on the management interface and take unauthorized actions on the target appliance. Researchers at The Shadowserver Foundation have seen large spikes of exploit attempts against this flaw in the last couple of days and GreyNoise data also shows active attacks from several IP addresses in the United States and elsewhere. 

Key Details

• “An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts. While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS,” the advisory says.

• Organizations running vulnerable versions of the software can mitigate the issue by restricting access to the management web interface to only trusted internal IP addresses

• The bug affects PAN-OS versions 11.2, 11.1, 10.2, and 10.1 

The details of the vulnerability have only been public for two days, but with the existence of a public PoC exploit and reports of exploit attempts ramping up, organizations should upgrade to the latest version of PAN-OS as soon as possible.