Palo Alto Networks PAN-OS Under Attack: Authentication Bypass Exploited

Introduction

A high-severity vulnerability (CVE-2025-0108) in Palo Alto Networks PAN-OS is actively being exploited by hackers to bypass authentication mechanisms. This security flaw, affecting the PAN-OS management web interface, allows unauthorized attackers on the network to invoke PHP scripts without authentication. If exploited, this vulnerability could lead to the compromise of firewall integrity and confidentiality, posing a significant risk to affected organizations.

Palo Alto Networks issued a security bulletin on February 12, urging administrators to upgrade their firewall systems immediately to mitigate potential exploitation. However, despite these efforts, attacks leveraging this vulnerability have already been observed in the wild.

Understanding the Vulnerability

Technical Breakdown

CVE-2025-0108 arises due to a path confusion vulnerability between Nginx and Apache web servers within PAN-OS. Attackers can exploit this flaw to bypass authentication mechanisms and access restricted areas of the system. This can enable them to:

Extract sensitive system data.

Retrieve firewall configurations.

Manipulate specific PAN-OS settings.

Weaken security defenses to facilitate further attacks.

Security researchers at Assetnote discovered and reported the vulnerability, later publishing a detailed write-up on its exploitation after the release of a patch.

Affected Versions

The vulnerability impacts multiple versions of PAN-OS, including:

1. 11.2.4-h4 or later
2. 11.1.6-h1 or later
3. 10.2.13-h3 or later
4. 10.1.14-h9 or later

PAN-OS 11.0 is also affected, but it has reached the end of life (EoL), and Palo Alto Networks has stated that it will not receive any security updates. Users running this version must upgrade to a supported release to secure their firewalls.

Exploitation in the Wild

How Hackers Are Leveraging CVE-2025-0108

Threat actors have begun targeting unpatched PAN-OS firewalls, using this authentication bypass vulnerability to compromise network security. The attack process generally follows this workflow:

Reconnaissance: Attackers scan the internet for PAN-OS devices with exposed management interfaces.

Exploitation: Once a vulnerable system is identified, the attacker exploits the authentication bypass flaw, gaining unauthorized access.

Data Extraction: The attacker extracts firewall configurations and sensitive system data.

Modification of Security Policies: Attackers may weaken firewall defenses, making the system more vulnerable to further exploitation.

Persistence and Further Exploitation: Threat actors may establish a foothold for future attacks, including deploying malware or exfiltrating data.

Observed Attack Patterns

Security monitoring platform GreyNoise has reported a surge in exploitation attempts targeting PAN-OS firewalls. The attacks were first observed on February 13 at 17:00 UTC, originating from multiple IP addresses. This suggests that multiple threat actors, potentially from different regions or groups, are actively attempting to exploit this vulnerability.

According to cybersecurity researcher Yutaka Sejiyama, over 4,400 PAN-OS devices are currently exposing their management interfaces online, significantly increasing the risk of compromise.

Defensive Measures: How to Protect Your Systems

Given the ongoing attacks and public availability of proof-of-concept (PoC) exploits, organizations must act quickly to secure their systems. Here are the recommended mitigation steps:

1. Apply Security Patches Immediately

Palo Alto Networks has released patches to address this vulnerability. Organizations must upgrade to the following versions or later to eliminate the risk:

1. 11.2.4-h4
2. 11.1.6-h1
3. 10.2.13-h3
4. 10.1.14-h9

For organizations running PAN-OS 11.0, it is crucial to upgrade to a supported version, as this version has reached end of life and will not receive a fix.

2. Restrict Access to the Management Interface

Limit access to PAN-OS management interfaces to trusted IP addresses and internal networks.

Disable direct internet exposure of the firewall management web interface.

Use VPNs or dedicated jump servers for secure remote access.

3. Monitor for Suspicious Activity

Utilize security monitoring tools to detect unauthorized access attempts.

Watch for unusual authentication requests or configuration changes.

Investigate any signs of compromise, such as unexpected firewall rule modifications.

4. Implement Network Segmentation and Zero Trust Security

Network Segmentation: Isolate the firewall management network from the broader enterprise network.

Zero Trust Policies: Enforce least privilege access, requiring strong authentication for all administrative actions.

5. Enable Multi-Factor Authentication (MFA)

While this vulnerability specifically bypasses authentication, enabling MFA for all administrative users adds an extra layer of security against other attack vectors.

6. Conduct Security Audits and Incident Response Readiness

Regularly audit firewall configurations and access logs.

Conduct penetration testing to identify and remediate vulnerabilities proactively.

Ensure an incident response plan is in place to react swiftly in case of a breach.

Long-Term Implications of the Vulnerability

Broader Cybersecurity Risks

The ability to bypass authentication on a critical security appliance like PAN-OS raises serious concerns. If left unpatched, compromised firewalls could be used as gateways for:

Data Exfiltration: Attackers could use the firewall to exfiltrate sensitive organizational data.

Lateral Movement: Once inside, attackers could pivot to other internal systems, expanding their control.

Ransomware Deployment: Exploited firewalls could facilitate ransomware attacks by disabling security controls.

Espionage and State-Sponsored Attacks: Given the nature of firewall deployments in government and enterprise settings, state-backed actors may use this vulnerability for long-term espionage campaigns.

The Future of Firewall Security

This incident highlights the growing need for firewall vendors to enhance security measures, including:

Stronger Authentication Mechanisms: Implementing more robust authentication layers beyond standard credentials.

Enhanced Monitoring and Logging: Improving visibility into administrative actions and authentication events.

Frequent Security Updates: Ensuring timely patching of discovered vulnerabilities.

Reducing Exposure of Management Interfaces: Encouraging best practices for restricting external access to security appliances.

Conclusion

The exploitation of CVE-2025-0108 in Palo Alto Networks PAN-OS demonstrates how critical vulnerabilities in security appliances can be leveraged by attackers to gain unauthorized access. With over 4,400 exposed PAN-OS devices and active exploitation attempts observed, it is imperative that organizations act swiftly to patch their systems, restrict access, and monitor for suspicious activity.

By implementing robust security practices, including timely patching, network segmentation, and strict access controls, organizations can significantly reduce the risk of compromise and safeguard their infrastructure from emerging cyber threats.