Hackers are launching assaults towards Palo Alto Networks PAN-OS firewalls by exploiting a just lately fastened vulnerability (CVE-2025-0108) that permits bypassing authentication.
The safety problem obtained a high-severity rating and impacts the PAN-OS administration net interface and permits an unauthenticated attacker on the community to bypass authentication and invoke sure PHP scripts, probably compromising integrity and confidentiality.
In a safety bulletin on February 12, Palo Alto Networks urges admins to improve firewalls to the variations beneath to handle the difficulty:
- 11.2.4-h4 or later
- 11.1.6-h1 or later
- 10.2.13-h3 or later
- 10.1.14-h9 or later
PAN-OS 11.0 can also be impacted however the product reached the tip of life (EoL) and Palo Alto Networks doesn’t plan to launch any fixes for it. Due to this, customers are strongly really useful to improve to a supported launch as a substitute.
Supply: Palo Alto Networks
The vulnerability was found and reported to Palo Alto Networks by safety researchers at Assetnote. Additionally they printed a write-up with full exploitation particulars when the patch was launched.
The researchers demonstrated how the flaw may very well be leveraged to extract delicate system knowledge, retrieve firewall configurations, or probably manipulate sure settings inside PAN-OS.
The exploit leverages a path confusion between Nginx and Apache in PAN-OS that permits bypassing authentication.
Attackers with community entry to the administration interface can leverage this to assemble intelligence for additional assaults or to weaken safety defenses by modifying accessible settings.
Supply: Assetnote
Menace monitoring platform GreyNoise logged exploitation makes an attempt focusing on unpatched PAN-OS firewalls.
The assaults began on February 13, at 17:00 UTC, and seem to originate from a number of IP addresses, probably indicating exploitation efforts from distinct menace actors.
Supply: GreyNoise
Concerning the publicity of susceptible gadgets on-line, Macnica researcher Yutaka Sejiyama instructed BleepingComputer that there are presently over 4,400 PAN-OS gadgets exposing their administration interface on-line.
To defend towards the continuing exploitation exercise, which, contemplating that the PoC is public, could be very prone to culminate within the following days, it is strongly recommended to use the accessible patches and limit entry to firewall administration interfaces.