Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added two security flaws impacting Palo Alto Networks PAN-OS and SonicWall SonicOS SSLVPN to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The flaws are listed below - CVE-2025-0108 (CVSS score: 7.8) - An authentication bypass vulnerability in the Palo Alto Networks PAN-OS
Analysis Summary
# Vulnerability: CISA Adds Exploited PAN-OS Authentication Bypass and SonicOS SSLVPN Flaw to KEV Catalog
## CVE Details
- CVE ID: CVE-2025-0108
- CVSS Score: 7.8 (High)
- CWE: Authentication Bypass (Inferred from description)
- CVE ID: CVE-2024-53704
- CVSS Score: 8.2 (High)
- CWE: Improper Authentication (Inferred from description)
## Affected Systems
- **Products:** Palo Alto Networks PAN-OS, SonicWall SonicOS SSLVPN
- **Versions:** Unpatched/unsecured versions (Specific versions not listed in summary)
- **Configurations:** For CVE-2025-0108, specifically impacts the management web interface accessible via network access.
## Vulnerability Description
**CVE-2025-0108 (Palo Alto Networks PAN-OS):** An authentication bypass vulnerability in the management web interface allowing an unauthenticated attacker with network access to the interface to bypass authentication and invoke certain PHP scripts. Palo Alto Networks observed this being actively chained with CVE-2024-9474 and CVE-2025-0111 to gain unauthorized access to unpatched and unsecured firewalls.
**CVE-2024-53704 (SonicWall SonicOS SSLVPN):** An improper authentication vulnerability within the SSLVPN authentication mechanism that allows a remote attacker to bypass the authentication process entirely.
## Exploitation
- **Status:** Exploited in the wild (Both vulnerabilities added to CISA KEV catalog)
- **Complexity:** Low/Medium (Inferred based on widespread exploitation and PoC availability for CVE-2024-53704, and chaining capabilities for CVE-2025-0108)
- **Attack Vector:** Network (Remote exploitation observed for both.)
## Impact
| Vulnerability | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| **CVE-2025-0108** | High (Implied by unauthorized access/script invocation) | High (Implied by unauthorized access/script invocation) | High (Implied by unauthorized access/potential system manipulation) |
| **CVE-2024-53704** | High (Implied by authentication bypass) | High (Implied by authentication bypass) | High (Implied by authentication bypass) |
## Remediation
### Patches
* Patches for both vulnerabilities are available, as evidenced by their inclusion in CISA's KEV catalog, which mandates remediation. (Specific patch versions for each product are not detailed in this summary.)
* **Federal Guidance:** FCEB agencies are required to remediate these vulnerabilities by **March 11, 2025**.
### Workarounds
* The article implies that the focus is on patching due to active exploitation and the severe nature of the flaws. No specific workarounds are mentioned in the provided text.
## Detection
- **Indicators of Compromise:** Active exploitation attempts against CVE-2025-0108 involving multiple malicious IP addresses (observed including sources from the US, Germany, and the Netherlands).
- **Detection methods and tools:** Monitoring network traffic directed toward the PAN-OS web management interface and SonicWall SSLVPN endpoints for authentication bypass patterns. Threat intelligence platforms should monitor for activity matching known exploitation signatures for these CVEs.
## References
- CISA KEV Catalog notification (Implied source)
- Palo Alto Networks Advisory for CVE-2025-0108 (Referenced [security.paloaltonetworks.com/CVE-2025-0108])
- Arctic Wolf and GreyNoise observations regarding exploitation.
- Vendor advisories from Palo Alto Networks and SonicWall (Implied)
- Relevant links - defanged:
- hxxps://www.cisa.gov/news-events/alerts/2025/02/18/cisa-adds-two-known-exploited-vulnerabilities-catalog
- hxxps://www.greynoise.io/blog/greynoise-observes-active-exploitation-of-pan-os-authentication-bypass-vulnerability-cve-2025-0108#GreyNoise
- hxxps://security.paloaltonetworks.com/CVE-2025-0108
- hxxps://security.paloaltonetworks.com/CVE-2024-9474
- hxxps://security.paloaltonetworks.com/CVE-2025-0111