One more locally exploitable unauthenticated flaw reported in Palo Alto Networks PAN-OS
Take action: If you are running Palo Alto Networks devices with PAN-OS, review the advisory and make sure the management interface is isolated from the internet and accessible only from trusted networks. Then plan a patch, because even trusted endpoints and networks can be compromised.
Learn More
Palo Alto Networks is reporting a critical authentication bypass vulnerability in their PAN-OS software, tracked as CVE-2025-0108 (CVSS score 9.8).
This flaw affects the management web interface of PAN-OS devices, enabling an unauthenticated attacker with network access to the management web interface to bypass authentication and invoke certain PHP scripts. While this doesn't allow remote code execution, it can compromise the integrity and confidentiality of PAN-OS systems.
The vulnerability affects multiple versions of PAN-OS, including:
- versions below 11.2.4-h4 for PAN-OS 11.2,
- versions below 11.1.6-h1 for PAN-OS 11.1,
- versions below 10.2.13-h3 for PAN-OS 10.2,
- versions below 10.1.14-h9 for PAN-OS 10.1.
Cloud NGFW and Prisma Access products are not affected by this vulnerability. The vulnerability requires no privileges or user interaction.
The risk exposure is high when the management interface is accessible directly from the internet or through a dataplane interface with a management interface profile. GlobalProtect portals and gateways with management profiles configured (typically on port 4443) are also at risk. Palo Alto Networks has confirmed they are not aware of any malicious exploitation of this vulnerability in the wild.
Palo Alto Networks has released patched versions and strongly recommends users to upgrade to versions:
- 10.1.14-h9 or later for PAN-OS 10.1,
- version 10.2.13-h3 or later for PAN-OS 10.2,
- version 11.1.6-h1 or later for PAN-OS 11.1,
- version 11.2.4-h4 or later for PAN-OS 11.2.
PAN-OS 11.0 reached end of life (EoL) as of November 17, 2024, and no additional fixes are planned for this release.
The company strongly recommends following their best practices deployment guidelines, which include restricting management interface access to only trusted internal IP addresses. This significantly reduces the risk as attacks would only succeed if they obtain privileged access through specified IP addresses.
