New PAN-OS Authentication Bypass Vulnerability Exploited by Hackers

Nikita Shekhawat - Feb 17 - - Dev Community

New PAN-OS Authentication Bypass Vulnerability Exploited by Hackers

Alto Networks has released a patch for a high-severity authentication bypass vulnerability, identified as CVE-2025-0108, affecting their PAN-OS software. GreyNoise has observed active exploitation attempts targeting this vulnerability.

PAN-OS Authentication Bypass Vulnerability CVE-2025-0108

New PAN-OS Authentication Bypass Vulnerability Exploited by Hackers

Image courtesy of Hackers Actively Exploiting New PAN-OS Authentication Bypass Vulnerability

Palo Alto Networks has released a patch for a high-severity authentication bypass vulnerability, identified as CVE-2025-0108, affecting their PAN-OS software. GreyNoise has observed active exploitation attempts targeting this vulnerability.

The flaw allows unauthenticated attackers to bypass the authentication required by the PAN-OS management web interface and invoke certain PHP scripts. While this doesn’t enable remote code execution, it can negatively impact the integrity and confidentiality of PAN-OS.

PAN-OS Authentication Bypass CVE-2025-0108 Details

The vulnerability, with a CVSS score of 7.8, was discovered by Assetnote researchers while analyzing patches for previously exploited vulnerabilities CVE-2024-0012 and CVE-2024-9474. The flaw originates from a path confusion issue between PAN-OS’s Nginx reverse proxy and Apache web server components.

Attackers can craft malicious HTTP requests with multi-layered URL encoding, causing Nginx to incorrectly flag the request as non-sensitive (via the X-pan-AuthCheck: off header) while Apache processes it as a legitimate, authenticated request. This discrepancy allows attackers to access restricted PHP scripts, compromise configuration integrity and confidentiality, and exploit other vulnerabilities requiring authentication.

Palo Alto Networks rates the flaw as CVSS 7.8–8.8, depending on network exposure. The severity drops to 5.9 if management interfaces are restricted to trusted IPs.

Active Exploitation and Mitigation Strategies

New PAN-OS Authentication Bypass Vulnerability Exploited by Hackers

Image courtesy of Hackers Actively Exploiting New PAN-OS Authentication Bypass Vulnerability

GreyNoise has observed widespread exploitation attempts in the wild, with attackers leveraging available proof-of-concept (PoC) exploits. While the vulnerability does not enable direct remote code execution, compromised scripts could facilitate data exfiltration, log manipulation, and deployment of secondary attacks.

Vulnerable PAN-OS versions include:

  • 11.2 versions < 11.2.4-h4
  • 11.1 versions < 11.1.6-h1
  • 10.2 versions < 10.2.13-h3
  • 10.1 versions < 10.1.14-h9

Cloud NGFW and Prisma Access are unaffected.

Mitigation Steps

  1. Immediate Patching: Upgrade to fixed PAN-OS versions.
  2. Network Hardening: Restrict management interface access to trusted IPs via firewall rules or VPNs.
  3. Monitoring: Use tools like GreyNoise to track exploitation trends.

Palo Alto Networks has not confirmed malicious exploitation but urges customers to prioritize updates. GreyNoise warns that organizations must assume unpatched devices are actively targeted.

Technical Analysis of the Vulnerability

Palo Alto Networks has disclosed a critical vulnerability (CVE-2025-0108) that allows attackers to bypass authentication on the management web interface. This flaw has been assigned a CVSS Base Score of 8.8, posing a significant risk to organizations using affected versions of PAN-OS.

The vulnerability originates from a path confusion issue, which allows an unauthenticated attacker to invoke PHP scripts without proper authentication. While this does not allow remote code execution, it could compromise the integrity and confidentiality of the system.

Affected Versions:

  • PAN-OS 11.2 < 11.2.4-h4
  • PAN-OS 11.1 < 11.1.6-h1
  • PAN-OS 10.2 < 10.2.13-h3
  • PAN-OS 10.1 < 10.1.14-h9

PAN-OS version 11.0 has reached its end of life (EOL) as of November 17, 2024, with no planned fixes.

Exploitation Risk and Recommended Actions

To mitigate this risk, Palo Alto Networks recommends restricting access to trusted internal IP addresses and following best practices for securing administrative access. Organizations are strongly advised to act promptly to secure their systems.

Palo Alto Networks suggests:

  • Upgrading affected systems to fixed versions.
  • Restricting access to the management web interface using internal IPs only.
  • Implementing a “jump box” system for accessing the management interface.
  • Enabling Threat IDs through a Threat Prevention subscription to block potential attacks.

Organizations are encouraged to utilize real-time intelligence tools to track exploitation patterns and strengthen their defenses. Failure to act promptly could expose organizations to significant financial, operational, and reputational damage.

New PAN-OS Authentication Bypass Vulnerability Exploited by Hackers

Image courtesy of PAN-OS 0-day Vulnerability Let Attackers Bypass Web Interface Authentication

GrackerAI offers an AI-powered cybersecurity marketing platform designed to help organizations transform security news into strategic content opportunities. Our platform enables marketing teams to identify emerging trends, monitor threats, and produce technically relevant content that resonates with cybersecurity professionals and decision-makers. Explore our services at GrackerAI or contact us for more information.

Image
Digiflex: Mobile App,ing Web Development & Digital Market…
Image
Best Cheap Food for Dogs- Affordable and Nutritious Options for Your Furry Friend - Best Amzon Review
Image
Best Free Movies on Apple TV - Our Top Picks - Best Amzon Review
Image
Web Design Essentials for Start-ups in Bangalore: Facts and Figures and Latest Statistics

webdesign, webdesigncompany, webdev, vistasadmediacommunications
Image
Why Gamers Prefer Mechanical Keyboards and Their PCBs
Image
Hard Times Gambling Ideas For Make Money
Image
Unveiling Success: Choosing the Best IT Consultant Company in USA

itconsultantcompany, itconsultingservices, usa
Image
Building Mobile Apps: Integrating with Backend Systems

mobileappdevelopment, developer, powerapps
Image
How to Develop a Mobile App: A Step-by-Step Guide

devops, react, programming, webdev
Image
Building a Dashboard Web App Using Google Sheets and Markdown

python, spreadsheets, dataviz, tutorial
Image
Everything You Need to Know About Dried Poppy Pods
Image
How to Build High-Performance NFS Storage with xiRAID Backend and RDMA Access

performance, rdma, nfs, storage
Image
🚀 Grok 3: The Next-Gen AI Model from xAI | Benchmarks, Features & Performance

grok3, xai, aimodelperformance, elonmuskai
Image
5 Most Powerful Advanced JavaScript Concepts

webdev, programming, javascript, beginners
Image
Git Architecture & Installation

git, gitlab, programming, webdev
Image
Organic Poppy Pods for Sale – Buy Online Now
Image
Stretch Your Poker Bankroll With Online Bonuses
Image
Why Choose a Crypto Exchange WazirX Clone Script

blockchain, cryptocurrency, cryptoexchangeclone, technology
Image
Successful Tips for Conquering Common Bookkeeping Challenges in Small Businesses
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .