On February 12, 2025, a critical vulnerability, CVE-2025-0108, was publicly disclosed in Palo Alto Networks’ PAN-OS software. The flaw, assigned a CVSS 4.0 score of 8.8, is an authentication bypass vulnerability that allows an unauthenticated attacker with network access to the PAN-OS management web interface to circumvent authentication and invoke certain PHP scripts.
While this vulnerability does not enable remote code execution, security experts warn that it could compromise the integrity and confidentiality of PAN-OS, potentially exposing sensitive system configurations. Organizations using affected versions of PAN-OS are urged to apply mitigations and patches as soon as they become available.
Figure 1:The exploit workflow (Source: Assetnote)
Palo Alto Networks has confirmed that threat actors are actively exploiting CVE-2025-0108 by chaining it with CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces.
Security researchers warn that this attack chain could allow adversaries to escalate privileges and gain unauthorized access to affected systems. Organizations running vulnerable versions of PAN-OS are urged to apply patches immediately and ensure their management interfaces are secured against unauthorized access.
The following products are affected:
Though Palo Alto released the patch update for this vulnerability,
| Version | Minor Version | Suggested Solution |
| PAN-OS 10.1 | 10.1.0 through 10.1.14 | Upgrade to 10.1.14-h9 or later |
| PAN-OS 10.2 | 10.2.0 through 10.2.13 | Upgrade to 10.2.13-h3 or later |
| 10.2.7 | Upgrade to 10.2.7-h24 or 10.2.13-h3 or later | |
| 10.2.8 | Upgrade to 10.2.8-h21 or 10.2.13-h3 or later | |
| 10.2.9 | Upgrade to 10.2.9-h21 or 10.2.13-h3 or later | |
| 10.2.10 | Upgrade to 10.2.10-h14 or 10.2.13-h3 or later | |
| 10.2.11 | Upgrade to 10.2.11-h12 or 10.2.13-h3 or later | |
| 10.2.12 | Upgrade to 10.2.12-h6 or 10.2.13-h3 or later | |
| PAN-OS 11.0 (EoL) | Upgrade to a supported fixed version | |
| PAN-OS 11.1 | 11.1.0 through 11.1.6 | Upgrade to 11.1.6-h1 or later |
| 11.1.2 | Upgrade to 11.1.2-h18 or 11.1.6-h1 or later | |
| PAN-OS 11.2 | 11.2.0 through 11.2.4 | Upgrade to 11.2.4-h4 or later |
Note: PAN-OS 11.0 reached end of life (EoL) on November 17, 2024. No additional fixes are planned for this release.
Organizations using internet-facing Palo Alto Networks firewalls that have not been promptly updated following the latest security patches should assume their devices have been compromised, the company warns. Administrators are advised to search for planted malware and investigate potential exploitation attempts from unexpected IP addresses. However, no publicly available indicators of compromise (IoCs) have been released yet.
Palo Alto Networks stresses that both compromised and uncompromised devices must be updated to a supported fixed version without delay. Additionally, organizations are urged to harden access to PAN-OS management interfaces to prevent further exploitation.
“Specifically, you should restrict management interface access to only trusted internal IP addresses,” the company advises. “You can greatly reduce the risk of exploitation by limiting access to a jump box that is the only system permitted to interact with the management interface. This ensures that attackers must first obtain privileged access to those specified IP addresses before launching an attack.”
Security experts recommend implementing these mitigations immediately to minimize risk amid ongoing exploitation attempts.Bangladeshi organizations and individuals using Palo Alto Networks firewalls are urged to immediately address a critical chain attack involving CVE-2025-0108, which is being exploited in combination with CVE-2024-9474 and CVE-2025-0111. This triple CVE attack targets unpatched PAN-OS management web interfaces, allowing unauthenticated attackers to bypass authentication and potentially compromise sensitive data.
