CVE-2025-0108: PAN-OS: Authentication Bypass in the Management Web Interface
First published: Wed Feb 12 2025(Updated: )
An authentication bypass in the in the management web interface of Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts. While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS. The attacker must have network access to the management web interface to exploit this issue. You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended critical deployment guidelines (https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431). This issue does not affect Cloud NGFW or Prisma Access software.
Credit: psirt@paloaltonetworks.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Palo Alto PAN-OS | ||
| Palo Alto PAN-OS | ||
| Palo Alto Networks PAN-OS | >=10.1.0<10.1.14 | |
| Palo Alto Networks PAN-OS | >=10.2.0<10.2.7 | |
| Palo Alto Networks PAN-OS | >=10.2.10<10.2.12 | |
| Palo Alto Networks PAN-OS | >=11.0.0<11.1.6 | |
| Palo Alto Networks PAN-OS | >=11.2.0<11.2.4 | |
| Palo Alto Networks PAN-OS | =10.1.14 | |
| Palo Alto Networks PAN-OS | =10.1.14-h2 | |
| Palo Alto Networks PAN-OS | =10.1.14-h4 | |
| Palo Alto Networks PAN-OS | =10.1.14-h6 | |
| Palo Alto Networks PAN-OS | =10.1.14-h8 | |
| Palo Alto Networks PAN-OS | =10.2.7 | |
| Palo Alto Networks PAN-OS | =10.2.7-h1 | |
| Palo Alto Networks PAN-OS | =10.2.7-h12 | |
| Palo Alto Networks PAN-OS | =10.2.7-h16 | |
| Palo Alto Networks PAN-OS | =10.2.7-h18 | |
| Palo Alto Networks PAN-OS | =10.2.7-h19 | |
| Palo Alto Networks PAN-OS | =10.2.7-h21 | |
| Palo Alto Networks PAN-OS | =10.2.7-h3 | |
| Palo Alto Networks PAN-OS | =10.2.7-h6 | |
| Palo Alto Networks PAN-OS | =10.2.7-h8 | |
| Palo Alto Networks PAN-OS | =10.2.8 | |
| Palo Alto Networks PAN-OS | =10.2.8-h10 | |
| Palo Alto Networks PAN-OS | =10.2.8-h13 | |
| Palo Alto Networks PAN-OS | =10.2.8-h15 | |
| Palo Alto Networks PAN-OS | =10.2.8-h18 | |
| Palo Alto Networks PAN-OS | =10.2.8-h19 | |
| Palo Alto Networks PAN-OS | =10.2.8-h3 | |
| Palo Alto Networks PAN-OS | =10.2.8-h4 | |
| Palo Alto Networks PAN-OS | =10.2.9 | |
| Palo Alto Networks PAN-OS | =10.2.9-h1 | |
| Palo Alto Networks PAN-OS | =10.2.9-h11 | |
| Palo Alto Networks PAN-OS | =10.2.9-h14 | |
| Palo Alto Networks PAN-OS | =10.2.9-h16 | |
| Palo Alto Networks PAN-OS | =10.2.9-h18 | |
| Palo Alto Networks PAN-OS | =10.2.9-h19 | |
| Palo Alto Networks PAN-OS | =10.2.9-h9 | |
| Palo Alto Networks PAN-OS | =10.2.12 | |
| Palo Alto Networks PAN-OS | =10.2.12-h1 | |
| Palo Alto Networks PAN-OS | =10.2.12-h2 | |
| Palo Alto Networks PAN-OS | =10.2.12-h3 | |
| Palo Alto Networks PAN-OS | =10.2.12-h4 | |
| Palo Alto Networks PAN-OS | =10.2.13 | |
| Palo Alto Networks PAN-OS | =10.2.13-h1 | |
| Palo Alto Networks PAN-OS | =10.2.13-h2 | |
| Palo Alto Networks PAN-OS | =11.1.6 | |
| Palo Alto Networks PAN-OS | =11.2.4 | |
| Palo Alto Networks PAN-OS | =11.2.4-h1 | |
| Palo Alto Networks PAN-OS | =11.2.4-h2 | |
| Palo Alto Networks Cloud NGFW | ||
| Palo Alto PAN-OS | <10.1.14-h9=10.1.0<10.2.7-h24=10.2.0<11.1.6-h1=11.1.0<11.2.4-h4=11.2.0 | 10.1.14-h9 10.2.7-h24 10.2.8-h21 10.2.9-h21 10.2.12-h6 10.2.13-h3 10.2.10-h14 10.2.11-h12 11.1.6-h1 11.1.2-h18 11.1.4-h13 11.2.4-h4 11.2.5 |
| Palo Alto Networks Prisma Access |
Remedy
Version Minor Version Suggested Solution PAN-OS 10.1 10.1.0 through 10.1.14 Upgrade to 10.1.14-h9 or later PAN-OS 10.2 10.2.0 through 10.2.13 Upgrade to 10.2.13-h3 or later 10.2.7Upgrade to 10.2.7-h24 or 10.2.13-h3 or later 10.2.8Upgrade to 10.2.8-h21 or 10.2.13-h3 or later 10.2.9Upgrade to 10.2.9-h21 or 10.2.13-h3 or later 10.2.10Upgrade to 10.2.10-h14 or 10.2.13-h3 or later 10.2.11Upgrade to 10.2.11-h12 or 10.2.13-h3 or later 10.2.12Upgrade to 10.2.12-h6 or 10.2.13-h3 or later PAN-OS 11.0 (EoL) Upgrade to a supported fixed versionPAN-OS 11.1 11.1.0 through 11.1.6 Upgrade to 11.1.6-h1 or later 11.1.2Upgrade to 11.1.2-h18 or 11.1.6-h1 or later PAN-OS 11.2 11.2.0 through 11.2.4 Upgrade to 11.2.4-h4 or laterNote: PAN-OS 11.0 reached end of life (EoL) on November 17, 2024. No additional fixes are planned for this release.
Remedy
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Remedy
Recommended mitigation—The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our critical deployment guidelines (https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431). Specifically, you should restrict management interface access to only trusted internal IP addresses. Review information about how to secure management access to your Palo Alto Networks firewalls: * Palo Alto Networks LIVEcommunity article:https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 * Palo Alto Networks official and detailed technical documentation:https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices Additionally, customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 510000 and 510001 (introduced in Applications and Threats content version 8943).
Remedy
VERSION MINOR VERSION SUGGESTED SOLUTION PAN-OS 10.1 10.1.0 through 10.1.14 Upgrade to 10.1.14-h9 or later PAN-OS 10.2 10.2.0 through 10.2.13 Upgrade to 10.2.13-h3 or later 10.2.7 Upgrade to 10.2.7-h24 or 10.2.13-h3 or later 10.2.8 Upgrade to 10.2.8-h21 or 10.2.13-h3 or later 10.2.9 Upgrade to 10.2.9-h21 or 10.2.13-h3 or later 10.2.10 Upgrade to 10.2.10-h14 or 10.2.13-h3 or later 10.2.11 Upgrade to 10.2.11-h12 or 10.2.13-h3 or later 10.2.12 Upgrade to 10.2.12-h6 or 10.2.13-h3 or later PAN-OS 11.0 (EoL) Upgrade to a supported fixed version PAN-OS 11.1 11.1.0 through 11.1.6 Upgrade to 11.1.6-h1 or later 11.1.2 Upgrade to 11.1.2-h18 or 11.1.6-h1 or later 11.1.4 Upgrade to 11.1.4-h13 or 11.1.6-h1 or later PAN-OS 11.2 11.2.0 through 11.2.4 Upgrade to 11.2.5 or later 11.2.4 Upgrade to 11.2.4-h4 or 11.2.5 or later All other older Upgrade to a supported fixed version. unsupported PAN-OS versions
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.bleepingcomputer.com/news/security/hackers-exploit-authentication-bypass-in-palo-alto-networks-pan-os/
- https://www.theregister.com/2025/02/19/palo_alto_firewall_attack/
- https://www.bleepingcomputer.com/news/security/palo-alto-networks-tags-new-firewall-bug-as-exploited-in-attacks/
- https://www.darkreading.com/remote-workforce/patch-now-cisa-researchers-warn-palo-alto-flaw-exploited-wild
- https://security.paloaltonetworks.com/CVE-2025-0108
- https://nvd.nist.gov/vuln/detail/CVE-2025-0108
- https://github.com/iSee857/CVE-2025-0108-PoC
- https://slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os/
- https://www.securityweek.com/palo-alto-networks-confirms-exploitation-of-firewall-vulnerability/
- https://www.bleepingcomputer.com/news/security/cisa-flags-craft-cms-code-injection-flaw-as-exploited-in-attacks/
Frequently Asked Questions
What is the severity of CVE-2025-0108?
CVE-2025-0108 is categorized as a critical vulnerability due to the potential for unauthenticated access to sensitive management features.
How do I fix CVE-2025-0108?
To remediate CVE-2025-0108, upgrade to the latest patched versions of PAN-OS: 10.1.14-h9, 10.2.13-h3, 11.1.6-h1, or 11.2.4-h4.
What products are affected by CVE-2025-0108?
The affected products include Palo Alto Networks PAN-OS, Cloud NGFW, and Prisma Access.
Can CVE-2025-0108 be exploited remotely?
Yes, an attacker with network access can exploit CVE-2025-0108 remotely to bypass authentication on the management web interface.
What type of attack is CVE-2025-0108 associated with?
CVE-2025-0108 is associated with authentication bypass attacks that allow unauthorized access to management functionalities.
- agent/first-publish-date
- agent/type
- agent/author
- agent/title
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2025-0108
- alias/CVE-2024-9474
- collector/the-register
- source/The Register
- alias/CVE-2025-0111
- collector/darkreading
- source/Dark Reading
- agent/source
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- alias/CVE-2025-23209
- agent/references
- agent/weakness
- agent/description
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/cisa-known-exploited
- source/CISA
- exploited/true
- collector/nvd-api
- source/NVD
- collector/nvd-cve
- agent/softwarecombine
- agent/tags
- collector/paloaltonetworks-latest
- source/Palo Alto Networks
- agent/event
- agent/news-ai
- agent/severity
- agent/remedy
- agent/trending
- collector/paloaltonetworks-api
- vendor/palo alto networks
- canonical/palo alto pan-os
- vendor/paloaltonetworks
- canonical/palo alto networks pan-os
- version/palo alto networks pan-os/10.1.0
- version/palo alto networks pan-os/10.2.0
- version/palo alto networks pan-os/10.2.10
- version/palo alto networks pan-os/11.0.0
- version/palo alto networks pan-os/11.2.0
- version/palo alto networks pan-os/10.1.14
- version/palo alto networks pan-os/10.1.14-h2
- version/palo alto networks pan-os/10.1.14-h4
- version/palo alto networks pan-os/10.1.14-h6
- version/palo alto networks pan-os/10.1.14-h8
- version/palo alto networks pan-os/10.2.7
- version/palo alto networks pan-os/10.2.7-h1
- version/palo alto networks pan-os/10.2.7-h12
- version/palo alto networks pan-os/10.2.7-h16
- version/palo alto networks pan-os/10.2.7-h18
- version/palo alto networks pan-os/10.2.7-h19
- version/palo alto networks pan-os/10.2.7-h21
- version/palo alto networks pan-os/10.2.7-h3
- version/palo alto networks pan-os/10.2.7-h6
- version/palo alto networks pan-os/10.2.7-h8
- version/palo alto networks pan-os/10.2.8
- version/palo alto networks pan-os/10.2.8-h10
- version/palo alto networks pan-os/10.2.8-h13
- version/palo alto networks pan-os/10.2.8-h15
- version/palo alto networks pan-os/10.2.8-h18
- version/palo alto networks pan-os/10.2.8-h19
- version/palo alto networks pan-os/10.2.8-h3
- version/palo alto networks pan-os/10.2.8-h4
- version/palo alto networks pan-os/10.2.9
- version/palo alto networks pan-os/10.2.9-h1
- version/palo alto networks pan-os/10.2.9-h11
- version/palo alto networks pan-os/10.2.9-h14
- version/palo alto networks pan-os/10.2.9-h16
- version/palo alto networks pan-os/10.2.9-h18
- version/palo alto networks pan-os/10.2.9-h19
- version/palo alto networks pan-os/10.2.9-h9
- version/palo alto networks pan-os/10.2.12
- version/palo alto networks pan-os/10.2.12-h1
- version/palo alto networks pan-os/10.2.12-h2
- version/palo alto networks pan-os/10.2.12-h3
- version/palo alto networks pan-os/10.2.12-h4
- version/palo alto networks pan-os/10.2.13
- version/palo alto networks pan-os/10.2.13-h1
- version/palo alto networks pan-os/10.2.13-h2
- version/palo alto networks pan-os/11.1.6
- version/palo alto networks pan-os/11.2.4
- version/palo alto networks pan-os/11.2.4-h1
- version/palo alto networks pan-os/11.2.4-h2
- canonical/palo alto networks cloud ngfw
- version/palo alto pan-os/10.1.0
- version/palo alto pan-os/10.2.0
- version/palo alto pan-os/11.1.0
- version/palo alto pan-os/11.2.0
- canonical/palo alto networks prisma access