Article Details
Scrape Timestamp (UTC): 2025-02-14 21:21:40.708
Original Article Text
Click to Toggle View
Hackers exploit authentication bypass in Palo Alto Networks PAN-OS. Hackers are launching attacks against Palo Alto Networks PAN-OS firewalls by exploiting a recently fixed vulnerability (CVE-2025-0108) that allows bypassing authentication. The security issue received a high-severity score and impacts the PAN-OS management web interface and allows an unauthenticated attacker on the network to bypass authentication and invoke certain PHP scripts, potentially compromising integrity and confidentiality. In a security bulletin on February 12, Palo Alto Networks urges admins to upgrade firewalls to the versions below to address the issue: PAN-OS 11.0 is also impacted but the product reached the end of life (EoL) and Palo Alto Networks does not plan to release any fixes for it. Because of this, users are strongly recommended to upgrade to a supported release instead. The vulnerability was discovered and reported to Palo Alto Networks by security researchers at Assetnote. They also published a write-up with complete exploitation details when the patch was released. The researchers demonstrated how the flaw could be leveraged to extract sensitive system data, retrieve firewall configurations, or potentially manipulate certain settings within PAN-OS. The exploit leverages a path confusion between Nginx and Apache in PAN-OS that allows bypassing authentication. Attackers with network access to the management interface can leverage this to gather intelligence for further attacks or to weaken security defenses by modifying accessible settings. Threat monitoring platform GreyNoise logged exploitation attempts targeting unpatched PAN-OS firewalls. The attacks started on February 13, at 17:00 UTC, and appear to originate from several IP addresses, potentially indicating exploitation efforts from distinct threat actors. Regarding the exposure of vulnerable devices online, Macnica researcher Yutaka Sejiyama told BleepingComputer that there are currently over 4,400 PAN-OS devices exposing their management interface online. To defend against the ongoing exploitation activity, which, considering that the PoC is public, is very likely to culminate in the following days, it is recommended to apply the available patches and restrict access to firewall management interfaces.
Daily Brief Summary
Hackers are exploiting a high-severity vulnerability (CVE-2025-0108) in Palo Alto Networks PAN-OS firewalls allowing them to bypass authentication.
The exploited flaw impacts the PAN-OS management web interface, enabling unauthorized access to invoke PHP scripts and compromise system integrity.
Palo Alto Networks has released patches and advises users to upgrade their firewalls to secure versions, especially since PAN-OS 11.0 is no longer supported.
The vulnerability was disclosed by Assetnote, who outlined detailed exploitation methods once the patch was made available.
Attackers can use this exploit to extract sensitive data, alter firewall configurations, or manipulate settings within PAN-OS, using the path confusion between Nginx and Apache.
GreyNoise observed active exploitation attempts starting from February 13, originating from various IP addresses.
Over 4,400 PAN-OS devices with exposed management interfaces are currently online, increasing the risk of exploitation.
Users are urged to apply patches promptly and limit access to firewall management interfaces to mitigate risks.