Full Report
Palo Alto Networks has observed exploit attempts chaining three vulnerabilities in its PAN-OS firewall appliances
Analysis Summary
# Vulnerability: Chained Exploitation of Three PAN-OS Web Interface Flaws
## CVE Details
- CVE ID: **CVE-2025-0108** (High Severity)
- CVE ID: **CVE-2025-0111** (High Severity)
- CVE ID: **CVE-2024-9474** (Medium/Lower Severity)
- CVSS Score: **8.8** (CVE-2025-0108), **7.1** (CVE-2025-0111), **6.9** (CVE-2024-9474)
- CWE: Not explicitly listed, but involves Authentication Bypass, File Read, and Privilege Escalation.
## Affected Systems
- Products: Palo Alto Networks Firewalls running **PAN-OS**
- Versions: **Unpatched and unsecured prior to the fixes listed below.**
- Configurations: Flaws specifically affect the **PAN-OS web management interface**.
## Vulnerability Description
Threat actors are actively chaining three distinct vulnerabilities within the PAN-OS web management interface to achieve **root privilege escalation** on unpatched firewall appliances.
The chain involves:
1. **CVE-2025-0108 (Authentication Bypass):** Allows bypassing authentication mechanisms.
2. **CVE-2025-0111 (Authenticated File Read):** Allows reading files after authentication (or achieving a prerequisite state).
3. **CVE-2024-9474 (Privilege Escalation):** Used in conjunction with the first two to elevate privileges, ultimately leading to root access.
## Exploitation
- Status: **Actively Exploited in the Wild**
- Complexity: **Low** (Stated by Palo Alto Networks)
- Attack Vector: Implicitly **Network**, as the flaws target the web management interface.
## Impact
The successful chaining of these vulnerabilities allows an attacker to gain **root privileges** on the affected firewall, resulting in:
- Confidentiality: Likely **High** (access to sensitive firewall data/network traffic context).
- Integrity: Likely **High** (ability to modify firewall rules or configurations).
- Availability: Likely **High** (potential to disrupt service or reconfigure the device).
## Remediation
### Patches
Palo Alto Networks released fixes for these vulnerabilities:
- **CVE-2025-0108 and CVE-2025-0111:** Patches released on February 12, 2025.
- **CVE-2024-9474:** Fix was released in **November 2024**.
*Action Required: Apply all outstanding patches for these three CVEs.*
### Workarounds
No specific workarounds were detailed in the provided text beyond applying the vendor patches immediately. Given the active exploitation, immediate patching is critical.
## Detection
- Indicators of Compromise (IoCs): The presence of exploitation attempts originating from **IP addresses targeting CVE-2025-0108**. The text mentions initial detection from two IP addresses growing to 25 by February 18, primarily originating from the US, Germany, and the Netherlands.
- Detection Methods and Tools: Organizations like GreyNoise and Shadowserver Foundation are tracking exploitation activity. Organizations should monitor web management interface logs for suspicious authentication attempts related to CVE-2025-0108. CISA has added CVE-2025-0108 to its KEV catalog.
## References
- Vendor Advisories (Implied): Palo Alto Networks advisories updated on February 19, 2025, concerning the chaining of the three CVEs.
- Security Reporting: GreyNoise blog post detailing observations of active exploitation (search for **greynoise observes active exploitation of pan-os authentication bypass vulnerability cve-2025-0108**).
- Threat Intelligence: Shadowserver Foundation monitoring for exploitation activity (search for **shadowserver status 1890390638387986559**).
- CISA KEV Catalog entry for CVE-2025-0108 (Added February 18, 2025).