Hackers are launching assaults in opposition to Palo Alto Networks PAN-OS firewalls by exploiting a just lately fastened vulnerability (CVE-2025-0108) that enables bypassing authentication.
The safety difficulty acquired a high-severity rating and impacts the PAN-OS administration net interface and permits an unauthenticated attacker on the community to bypass authentication and invoke sure PHP scripts, probably compromising integrity and confidentiality.
In a safety bulletin on February 12, Palo Alto Networks urges admins to improve firewalls to the variations beneath to deal with the problem:
- 11.2.4-h4 or later
- 11.1.6-h1 or later
- 10.2.13-h3 or later
- 10.1.14-h9 or later
PAN-OS 11.0 can be impacted however the product reached the top of life (EoL) and Palo Alto Networks doesn’t plan to launch any fixes for it. Due to this, customers are strongly really useful to improve to a supported launch as a substitute.
Supply: Palo Alto Networks
The vulnerability was found and reported to Palo Alto Networks by safety researchers at Assetnote. In addition they printed a write-up with full exploitation particulars when the patch was launched.
The researchers demonstrated how the flaw may very well be leveraged to extract delicate system information, retrieve firewall configurations, or probably manipulate sure settings inside PAN-OS.
The exploit leverages a path confusion between Nginx and Apache in PAN-OS that enables bypassing authentication.
Attackers with community entry to the administration interface can leverage this to assemble intelligence for additional assaults or to weaken safety defenses by modifying accessible settings.
Supply: Assetnote
Menace monitoring platform GreyNoise logged exploitation makes an attempt concentrating on unpatched PAN-OS firewalls.
The assaults began on February 13, at 17:00 UTC, and seem to originate from a number of IP addresses, probably indicating exploitation efforts from distinct risk actors.
Supply: GreyNoise
Concerning the publicity of susceptible gadgets on-line, Macnica researcher Yutaka Sejiyama advised BleepingComputer that there are presently over 4,400 PAN-OS gadgets exposing their administration interface on-line.
To defend in opposition to the continuing exploitation exercise, which, contemplating that the PoC is public, could be very prone to culminate within the following days, it’s endorsed to use the out there patches and prohibit entry to firewall administration interfaces.
