Full Report
A recently patched firewall flaw in Palo Alto Networks PAN-OS, tracked as CVE-2025-0108, lets cybercriminals with network access to the management web interface bypass authentication and execute certain PHP scripts. Although this doesn’t lead to remote execution of malicious code, this critical flaw still poses risks to the integrity and security of PAN-OS products. The […] The post CVE-2025-0108 Detection: Active Exploitation of an Authentication Bypass Palo Alto Networks PAN-OS Software appeared first on SOC Prime.
Analysis Summary
# Vulnerability: Authentication Bypass in Palo Alto Networks PAN-OS Leading to PHP Script Execution
## CVE Details
- CVE ID: CVE-2025-0108
- CVSS Score: 8.8 (High)
- CWE: Not explicitly listed, but relates to Authentication Bypass.
## Affected Systems
- Products: Palo Alto Networks PAN-OS Software
- Versions: Prior to 10.2.14, 11.0.7, 11.2.5, and all subsequent releases are assumed vulnerable unless explicitly patched. (The patch covers versions 10.2.14, 11.0.7, 11.2.5, and future releases).
- Configurations: Applicable to systems running vulnerable PAN-OS versions with the management interface exposed.
## Vulnerability Description
The vulnerability is an authentication bypass flaw within the PAN-OS software that allows an unauthenticated remote attacker to gain unauthorized access to the PAN-OS web interface. Successful exploitation allows the attacker to execute PHP scripts on the affected device. This vulnerability has reportedly been chained with CVE-2024-9474 (which also has a patch) to potentially achieve Remote Code Execution (RCE).
## Exploitation
- Status: Exploited in the wild (Active exploitation observed starting February 13).
- Complexity: Assumed Low to Medium, given reports of widespread exploitation.
- Attack Vector: Network (Remote, unauthenticated access is possible).
## Impact
- Confidentiality: High (Unauthorized access and potential script execution).
- Integrity: High (Potential for configuration changes or execution of arbitrary code).
- Availability: High (Potential for service disruption if exploited severely).
## Remediation
### Patches
- Install the fixed versions announced on February 12:
- PAN-OS version 10.2.14 and later
- PAN-OS version 11.0.7 and later
- PAN-OS version 11.2.5 and later
### Workarounds
- Restrict access to the management interface to only trusted internal IP addresses (jump box access).
## Detection
- Indicators of Compromise: Reports indicate nearly 30 unique IPs were compromised shortly after exploitation began. Monitoring external access attempts to the management interface from unusual geographic locations or IPs is critical.
- Detection methods and tools: Leverage security tooling (e.g., SIEM platforms) to monitor for unusual activity targeting the PAN-OS admin interface, especially indicators related to PHP execution attempts or exploitation patterns associated with CVE-2024-9474/0012 if chaining is suspected.
## References
- Vendor Advisories: Palo Alto Networks (Advisories announced February 12)
- Relevant links:
- Shadowserver Foundation detection report: hxxps://x dot com/Shadowserver/status/1890390638387986559