Palo Alto Networks reports another actively exploited firewall bug
Take action: For the third time in two months - if you are running Palo Alto firewalls, or anything really make double sure that the management interface of all Palo Alto products is enabled for access only from trusted internal IP addresses, and blocking all internet access to the management interface. Then start patching. NOW.
Learn More
Palo Alto Networks is reporting another actively exploited vulnerabilty, chained to the CVE-2025-0108.
The newly reported vulnerability is tracked as CVE-2025-0111 (CVSS score: 7.1) - a high-severity authenticated file read vulnerability that impacts the PAN-OS management web interface. This flaw enables authenticated attackers to read files that are accessible by the "nobody" user on the system.
Attackers are now combining CVE-2025-0111 with two other vulnerabilities: CVE-2025-0108, an authentication bypass vulnerability, and CVE-2024-9474, a privilege escalation flaw that was previously exploited as a zero-day and patched in November 2024.
At least 3,490 PAN-OS devices with web management interfaces exposed to the internet, of which 2,262 devices, representing 65% of the total, remain vulnerable to all three vulnerabilities. An additional 1,168 devices have only partially addressed the threat by patching CVE-2024-9474 while remaining vulnerable to both CVE-2025-0108 and CVE-2025-0111.
These vulnerabilities affect multiple versions of PAN-OS, spanning versions 10.1 through 11.2, though Cloud NGFW and Prisma Access software remain unaffected. Successful exploitation of this vulnerability chain could potentially allow attackers to access sensitive information, including configuration files.
The exploitation attempts have shown a marked increase in frequency and geographic distribution. The attacks primarily originate from locations in the United States, Germany, and the Netherlands, though these source locations may not represent the actual base of operations for the attackers.
