Full Report
Palo Alto Networks has addressed a high-severity security flaw in its PAN-OS software that could result in an authentication bypass. The vulnerability, tracked as CVE-2025-0108, carries a CVSS score of 7.8 out of 10.0. The score, however, drops to 5.1 if access to the management interface is restricted to a jump box. "An authentication bypass in the Palo Alto Networks PAN-OS software enables an
Analysis Summary
# Vulnerability: PAN-OS Authentication Bypass via Nginx/Apache Request Handling
## CVE Details
- CVE ID: CVE-2025-0108
- CVSS Score: 7.8 (High)
- CWE: Not specified in detail, but related to directory traversal/request handling discrepancies.
## Affected Systems
- Products: Palo Alto Networks PAN-OS software
- Versions:
- PAN-OS 11.2 (up to 11.2.4-h4)
- PAN-OS 11.1 (up to 11.1.6-h1)
- PAN-OS 10.2 (up to 10.2.13-h3)
- PAN-OS 10.1 (up to 10.1.14-h9)
- PAN-OS 11.0 (End-of-Life status as of November 17, 2024 - users must upgrade to a supported fixed version).
- Configurations: Affects any system where network access to the **management web interface** is permitted. The severity score drops to 5.1 if access is restricted via a jump server.
## Vulnerability Description
This vulnerability is an authentication bypass in PAN-OS. An unauthenticated remote attacker who can gain network access to the management web interface can bypass required authentication mechanisms. This is achieved by exploiting a discrepancy in how the interface's Nginx and Apache components handle incoming requests, leading to a directory traversal attack. Successful exploitation allows the attacker to invoke specific PHP scripts, which can negatively impact the **Integrity** and **Confidentiality** of PAN-OS. **Note:** This vulnerability does *not* lead to Remote Code Execution (RCE).
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but PoC information is linked in the researcher's blog.
- Complexity: Implied **Medium/Low** given it only requires network access to the management interface.
- Attack Vector: **Network** (requires network access to the management web interface).
## Impact
- Confidentiality: Negative impact possible (via invoked PHP scripts).
- Integrity: Negative impact possible (via invoked PHP scripts).
- Availability: Not explicitly detailed, but potential negative impact to system services/configuration integrity.
## Remediation
### Patches
Palo Alto Networks has released updates addressing this and two other vulnerabilities. Users should upgrade to the following fixed versions:
- **PAN-OS 11.2:** Upgrade to or later than **11.2.4-h4**
- **PAN-OS 11.1:** Upgrade to or later than **11.1.6-h1**
- **PAN-OS 10.2:** Upgrade to or later than **10.2.13-h3**
- **PAN-OS 10.1:** Upgrade to or later than **10.1.14-h9**
*Note: PAN-OS 11.0 has reached EOL; upgrade to a currently supported, patched version.*
### Workarounds
- Disable public/untrusted network access to the PAN-OS management interface. If necessary, restrict access to trusted jump servers or internal networks only.
## Detection
- Detection methods focus on monitoring the management interface for unusual request patterns attempting directory traversal or execution of PHP scripts by unauthenticated users.
- *Indicators of Compromise (IOCs) were not specified in the summary.*
## References
- Vendor Advisory: securityadvisories[.]paloaltonetworks[.]com/CVE-2025-0108
- Researcher Disclosure: slcyber[.]io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os/
***
### Related Vulnerabilities Noted in Advisory
The advisory also addressed two other issues:
1. **CVE-2025-0109 (CVSS 5.5):** Unauthenticated file deletion vulnerability in the management interface, allowing deletion of limited log/config files as the "nobody" user. (Fixed in same versions as above).
2. **CVE-2025-0110 (CVSS 7.3):** Command Injection in the PAN-OS OpenConfig plugin for authenticated administrators making gNMI requests, allowing arbitrary command execution. (Fixed in PAN-OS OpenConfig Plugin version 2.1.2).
**Mitigation for CVE-2025-0110:** Customers not using the OpenConfig feature should disable or uninstall the plugin.