Security Intelligence
Loading table of contents...
On February 12, 2025, Palo Alto Networks (PAN) released security updates to address a high-severity vulnerability affecting its firewalls. Researchers have now published a proof-of-concept (POC) and also noted current attempts to exploit the vulnerability.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
This flaw is tracked as CVE-2025-0108 and could allow a bypass of authentication and access to the management web interface. It has been assigned a Common Vulnerability Scoring System (CVSS) base score of 7.8 out of 10.
Palo Alto Networks reported that Prisma Access and Cloud NGFW deployments are not affected by the vulnerability. Note: CVE-2025-0108 affects PAN-OS v11.0 that reached end of life (EoL) on November 17, 2024.
Source: SecurityWeek
Analysis
The vulnerability can result in an authentication bypass issue in the PAN-OS management web interface. Someone with network access to the interface could exploit this flaw to invoke certain PHP scripts without proper authentication. This does not allow remote code execution but could compromise the integrity and confidentiality of the affected system.
CVE-2025-0108 has a CVSS score of 7.8 when access is allowed to the management interface from external IP addresses on the Internet. Palo Alto Networks suggests that using a jump box for accessing the management interface would reduce the CVSS score to 5.1. In that scenario, the attacks would require privileged access using only those IP addresses.
According to researchers at GreyNoise, active scanning and attempts to compromise unpatched firewalls started shortly after the publication of technical details for this vulnerability.
Mitigation
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for vulnerabilities discovered in software, appliances, and operating systems. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the exploitation of these vulnerabilities. Field Effect MDR users are automatically notified when vulnerable software is detected in their environment and are encouraged to review these AROs (Actions-Recommendations-Observations) as quickly as possible via the Field Effect MDR portal.
Field Effect strongly encourages users of potentially vulnerable Palo Alto firewalls to verify whether they have any firewall management interfaces exposed to the Internet by consulting the Palo Alto Customer Support Portal (Products > Assets > All Assets > Remediation Required).
To reduce the threat posed by this vulnerability, users and network administrators should apply security patches for supported PAN-OS as soon as possible, and upgrade their EoL products to a supported version. We recommend configuring the devices and applications according to the vendor's recommended best practices.
