Palo Alto PAN-OS Authentication Bypass Exploited in Chained Attacks
A critical authentication bypass in Palo Alto Networks PAN-OS management interface is being chained with other vulnerabilities to achieve remote code execution on firewalls.
CVE References
Affected
What happened: Palo Alto Networks disclosed CVE-2025-0108, an authentication bypass vulnerability in the management web interface of PAN-OS. Within days of disclosure, threat actors began actively exploiting the flaw, chaining it with previously known vulnerabilities to achieve full remote code execution on affected firewalls. GreyNoise observed exploitation attempts originating from multiple IP addresses.
Technical details: CVE-2025-0108 (CVSS 8.8) allows an unauthenticated attacker with network access to the management interface to bypass authentication and invoke certain PHP scripts. While this alone does not enable remote code execution, attackers are chaining it with CVE-2024-9474 (a prior privilege escalation vulnerability) and CVE-2025-0110 (a command injection in the OpenConfig plugin) to achieve full compromise. The authentication bypass exploits a path confusion between Nginx and Apache in the PAN-OS request handling architecture.
Who is affected: Organizations with Palo Alto Networks firewalls running PAN-OS versions prior to the patched releases, particularly those with management interfaces accessible from untrusted networks. Both physical and virtual form factors are affected.
What defenders should do: Apply PAN-OS updates immediately. As a critical short-term mitigation, restrict management interface access to trusted internal IP addresses only. Disable the OpenConfig plugin if not in use. Monitor firewall logs for unauthorized authentication bypass attempts and unexpected PHP script execution. Review firewall configurations for signs of tampering.
Broader implications: The exploitation of PAN-OS vulnerabilities through chained attacks demonstrates the increasing sophistication of adversaries targeting network security appliances. The rapid weaponization within days of disclosure underscores the shrinking window defenders have to patch critical infrastructure and the importance of restricting management plane access as a defense-in-depth measure.
Sources