What is the Vulnerability?
A recent authentication bypass vulnerability (CVE-2025-0108) in the Palo Alto Networks PAN-OS software is under active exploitation as has been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog.
Successful exploitation of CVE-2025-0108 enables an unauthenticated attacker with network access to the management web interface to bypass the authentication required by the PAN-OS management web interface and invoke certain PHP scripts that can impact its integrity and confidentiality.
According to the Vendor advisory, Palo Alto Networks has observed exploit attempts chaining CVE-2025-0108 with CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces.
CVE-2024-9474 is an older OS command injection flaw that allows attackers to escalate their privileges and perform actions on the PAN firewall with root privileges.
CVE-2025-0111 is an authenticated file read vulnerability that allows attackers to read files on the PAN-OS filesystem that are readable by the “nobody” user.
What is the recommended Mitigation?
What FortiGuard Coverage is available?
• FortiGuard Labs recommends users to apply the fix when provided by the vendor and follow any instructions as mentioned on the vendor`s advisory.
• FortiGuard Labs has available IPS protection for CVE-2024-9474 and has released a detailed outbreak report released in Nov 2024: https://www.fortiguard.com/outbreak-alert/pan-os-management-interface-attack
• FortiGuard Labs is reviewing IPS protections for CVE-2025-0108 and CVE-2025-0111 and will update this Threat Signal report with updates when available.
• FortiGuard Labs has blocked all the known Indicators of Compromise (IOCs) noted on the campaign.
• The FortiGuard Incident Response team can be engaged to help with any suspected compromise.
