Week 9 – Palo Alto PAN-OS Authentication Bypass

Posted on by Whitehat Security

03-10 March 2025

Palo Alto PAN-OS authentication bypass exploited in the wild: CVE-2025-0108

This week’s #CVEofTheWeek is about an actively exploited critical Authentication Bypass vulnerability in Palo Alto PAN-OS. PAN-OS is the software that runs all Palo Alto Networks Next-Generation Firewalls (NGFW). The high-level properties of this CVE are very familiar to last year’s CVE-2024-0012.

The vulnerability was found and reported by Adam Kues from the Assetnote Security Research Team, who also published a detailed blog post about the vulnerability after the patch was released for the product.

Palo Alto Networks released a security bulletin on February 12 about the vulnerability as “CVE-2024-0108 PAN-OS”, where they published the warning and listed the affected versions and fixes.

The CVE was added to CISA’s Known Exploited Vulnerabilities Catalog on the 18th of February.

This issue is categorized as Missing Authentication for Critical Function (CWE-306) – The CVSSv3 base score is 9.1 Critical.

It impacts various versions of PAN-OS 10.1, 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. On 11.2, the first fixed version is 11.2.4-h4, on 11.1 they are 11.1.2-h18 and 11.1.6-h1. For details about the other main versions’ status, please see the compatibility matrix in the Security Bulletin. Cloud NGFW and Prisma Access are not affected.

This vulnerability enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit additional vulnerabilities such as CVE-2024-9474 or CVE-2025-0111.

CVE-2024-9474 is a privilege escalation vulnerability in the web management interface of PAN-OS devices, also mentioned in this Advisory as observed attempts in the wild chained this exploit. An authenticated, remote attacker could exploit this vulnerability to gain root privileges on the firewall.

CVE-2025-0111 is an authenticated file read vulnerability in the Management Web Interface, which enables an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the “nobody” user.

The risk of these issues is greatly reduced if the management web interface access is restricted only to trusted internal IP addresses.

Security Researchers urge customers using vulnerable versions to upgrade as soon as possible, because according to the Security Advisory, this flaw was already exploited in the wild.

Details about the issue, the list of affected versions and additional information are available in the released bulletin:

https://security.paloaltonetworks.com/CVE-2025-0108

Link to the researcher’s write-up at Assetnote Security:

https://www.assetnote.io/resources/research/nginx-apache-path-confusion-to-auth-bypass-in-pan-os

For more information about the vulnerability, please visit NVD’s site:

https://nvd.nist.gov/vuln/detail/CVE-2025-0108

https://www.tenable.com/cve/CVE-2025-0108

cve cybersecurity informationsecurity pan-os WhiteHatSeries