Attack chain using CVE-2025-0108 and CVE-2025-0111 has been observed in the wild

Threat ID:CC-4621

Threat Severity:Medium

Published:13 February 2025 3:14 PM

Summary

Affected platforms

The following platforms are known to be affected:

Palo Alto Networks PAN-OSPAN-OS 10.1

all prior to 10.1.14-h9

PAN-OS 10.2

all prior to 10.2.7-h24
all prior to 10.2.8-h21
all prior to 10.2.9-h21
all prior to 10.2.10-h14
all prior to 10.2.11-h12
all prior to10.2.12-h6
all prior to10.2.13-h3

PAN-OS 11.1

all prior to 11.1.2-h18
all prior to 11.1.6-h1

PAN-OS 11.2

all prior to 11.2.4-h4

Notes:

PAN-OS 11.0 - This product has reached end of life (EOL) and will not receive any updates
Cloud NGFW and Prisma Access are not affected

Threat details

Exploitation of CVE-2025-0108 and CVE-2025-0111

Palo Alto Networks has observed exploit attempts chaining CVE-2025-0108 with CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces.

Please see Cyber Alert CC-4578 for further information on CVE-2024-9474.

Introduction

Palo Alto Networks has issued a security advisory for two high severity vulnerabilities affecting Palo Alto Networks PAN-OS software

CVE-2025-0108 is an authentication bypass vulnerability. The CVSSv4 score for this vulnerability depends on the configuration, but when the management interface is exposed to external IP addresses on the internet, the score is 7.8. The vulnerability allows an unauthenticated attacker with network access to the management web interface to bypass the authentication process otherwise required by the PAN-OS management web interface and invoke certain PHP scripts. While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS.

CVE-2025-0111 is an authenticated file read vulnerability. The CVSSv4 score for this vulnerability depends on the configuration, but when the management interface is exposed to external IP addresses on the internet, the score is 7.1. The vulnerability enables an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the 'nobody' user. Whilst the 'nobody' user has limited privileges, an attacker might still access sensitive material in these files which can be used for further exploitation.

Threat updates


20 Feb 2025	Cyber Alert updated to detail CVE-2025-0111 and reflect the observed attack chain.
14 Feb 2025	Cyber Alert updated to reflect exploitation in the wild

Remediation advice

Affected organisations are encouraged to review the Palo Alto Networks security advisories CVE-2025-0108 PAN-OS: Authentication Bypass in the Management Web Interface and CVE-2025-0111 PAN-OS: Authenticated File Read Vulnerability in the Management Web Interface, and apply the relevant updates as soon as practicable.

Remediation steps


Guidance	To find assets that require remediation action, visit the Assets section of the Customer Support Portal at https://support.paloaltonetworks.com (Products → Assets → All Assets → Remediation Required). Devices with an internet-facing management interface discovered in Palo Alto Networks' scans are tagged with PAN-SA-2024-0015 with a last seen timestamp in UTC. If no such devices are listed, it indicates their scan did not find any devices with internet-facing management interface for your account in the last three days. Organisations are encouraged to patch all affected platforms, regardless of their identification in the customer portal. https://support.paloaltonetworks.com/
Guidance	The vast majority of firewalls already follow Palo Alto Networks and industry best practices. Palo Alto Networks strongly recommends securing access to management interfaces according to their best practice deployment guidelines. Specifically, access should be restricted to the management interface to only trusted internal IP addresses to prevent external access from the internet. https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431
Guidance	Palo Alto Networks official and more detailed technical documentation on securing management access to your Palo Alto Networks firewalls. https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices

Guidance

To find assets that require remediation action, visit the Assets section of the Customer Support Portal at https://support.paloaltonetworks.com (Products → Assets → All Assets → Remediation Required).

Devices with an internet-facing management interface discovered in Palo Alto Networks' scans are tagged with PAN-SA-2024-0015 with a last seen timestamp in UTC. If no such devices are listed, it indicates their scan did not find any devices with internet-facing management interface for your account in the last three days.

Organisations are encouraged to patch all affected platforms, regardless of their identification in the customer portal.

https://support.paloaltonetworks.com/

Guidance

The vast majority of firewalls already follow Palo Alto Networks and industry best practices. Palo Alto Networks strongly recommends securing access to management interfaces according to their best practice deployment guidelines. Specifically, access should be restricted to the management interface to only trusted internal IP addresses to prevent external access from the internet.

https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431

Guidance

Palo Alto Networks official and more detailed technical documentation on securing management access to your Palo Alto Networks firewalls.

https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices

Definitive source of threat updates

CVE Vulnerabilities

StatusPublished

CVE-2025-0108An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts. While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS. You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue does not affect Cloud NGFW or Prisma Access software.

CVE-2025-0111An authenticated file read vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the “nobody” user. You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue does not affect Cloud NGFW or Prisma Access software.

Last edited: 20 February 2025 3:16 pm