Hackers are launching assaults in opposition to Palo Alto Networks PAN-OS firewalls by exploiting a not too long ago fastened vulnerability (CVE-2025-0108) that permits bypassing authentication.
The safety difficulty obtained a high-severity rating and impacts the PAN-OS administration net interface and permits an unauthenticated attacker on the community to bypass authentication and invoke sure PHP scripts, probably compromising integrity and confidentiality.
In a safety bulletin on February 12, Palo Alto Networks urges admins to improve firewalls to the variations under to handle the difficulty:
- 11.2.4-h4 or later
- 11.1.6-h1 or later
- 10.2.13-h3 or later
- 10.1.14-h9 or later
PAN-OS 11.0 can also be impacted however the product reached the tip of life (EoL) and Palo Alto Networks doesn’t plan to launch any fixes for it. Due to this, customers are strongly really useful to improve to a supported launch as an alternative.
Supply: Palo Alto Networks
The vulnerability was found and reported to Palo Alto Networks by safety researchers at Assetnote. In addition they revealed a write-up with full exploitation particulars when the patch was launched.
The researchers demonstrated how the flaw could possibly be leveraged to extract delicate system knowledge, retrieve firewall configurations, or probably manipulate sure settings inside PAN-OS.
The exploit leverages a path confusion between Nginx and Apache in PAN-OS that permits bypassing authentication.
Attackers with community entry to the administration interface can leverage this to collect intelligence for additional assaults or to weaken safety defenses by modifying accessible settings.
Supply: Assetnote
Risk monitoring platform GreyNoise logged exploitation makes an attempt concentrating on unpatched PAN-OS firewalls.
The assaults began on February 13, at 17:00 UTC, and seem to originate from a number of IP addresses, probably indicating exploitation efforts from distinct menace actors.
Supply: GreyNoise
Relating to the publicity of susceptible gadgets on-line, Macnica researcher Yutaka Sejiyama informed BleepingComputer that there are presently over 4,400 PAN-OS gadgets exposing their administration interface on-line.
To defend in opposition to the continued exploitation exercise, which, contemplating that the PoC is public, may be very more likely to culminate within the following days, it is strongly recommended to use the out there patches and prohibit entry to firewall administration interfaces.
