A newly patched vulnerability in Palo Alto Networks’ PAN-OS firewalls is under active exploitation, allowing attackers to bypass authentication and potentially compromise sensitive system configurations. Cybersecurity experts urge immediate patching as exploitation attempts escalate.
Critical Vulnerability Leaves PAN-OS Firewalls Exposed
A serious security flaw in PAN-OS, the operating system running on Palo Alto Networks’ firewalls, is now being exploited by hackers. The issue, tracked as CVE-2025-0108, received a high-severity rating due to its ability to let attackers bypass authentication and execute PHP scripts via the management web interface.
Palo Alto Networks addressed the flaw in a security bulletin on February 12, urging administrators to update their systems immediately. However, just a day later, on February 13, exploitation attempts were already being observed in the wild.
The company recommends updating to the following patched versions:
- 11.2.4-h4 or later
- 11.1.6-h1 or later
- 10.2.13-h3 or later
- 10.1.14-h9 or later
For users still running PAN-OS 11.0, there is bad news: the version has reached end-of-life (EoL), meaning no fixes will be released. Upgrading to a supported release is the only way to stay secure.
How Hackers Are Exploiting CVE-2025-0108
The vulnerability was discovered and reported by researchers at Assetnote, who later published a technical breakdown of how attackers could leverage it. The flaw exploits a path confusion issue between Nginx and Apache within PAN-OS, allowing unauthorized access to restricted files.
In practical terms, attackers with network access to the firewall’s management interface can:
- Extract sensitive system data
- Retrieve firewall configurations
- Modify security settings, potentially weakening defenses
Security analysts warn that this type of unauthorized access could pave the way for more severe attacks, including persistent backdoors, data theft, or further exploitation within an organization’s network.
Real-World Attacks Have Already Begun
Threat intelligence firm GreyNoise has already observed active exploitation attempts, with attack traffic detected starting February 13, 17:00 UTC. These attacks are coming from multiple IP addresses, suggesting that multiple hacking groups are attempting to exploit the flaw.
GreyNoise’s tracking indicates that some of these attacks may be automated, meaning that even unskilled attackers could leverage public exploit code to gain access to vulnerable systems.
Meanwhile, security researcher Yutaka Sejiyama from Macnica reports that over 4,400 PAN-OS devices have their management interface exposed online, significantly increasing the risk of compromise.
What Organizations Should Do Now
Given the rapid increase in exploitation activity, organizations using PAN-OS should take immediate action:
- Apply the security patches to move to a safe version
- Restrict access to the firewall management interface to internal networks only
- Monitor for suspicious activity, particularly unauthorized login attempts or configuration changes
Table: Recommended Security Actions for PAN-OS Firewalls
| Security Measure | Description |
|---|---|
| Patch to a secure version | Upgrade to PAN-OS 11.2.4-h4, 11.1.6-h1, 10.2.13-h3, or 10.1.14-h9 |
| Disable external access | Restrict management access to internal or trusted networks |
| Monitor logs | Check for unusual login attempts or configuration changes |
| Block known attack IPs | Use firewall rules to prevent exploitation attempts from known bad actors |
With proof-of-concept (PoC) exploit details already public, attacks are expected to escalate further in the coming days. Organizations that fail to patch may find themselves at serious risk of a breach.
