Exploited
critical
9.1
CWE
306 94
Advisory Published
CVE Published
Advisory Published
Updated

CVE-2025-0108: PAN-OS: Authentication Bypass in the Management Web Interface

First published: Wed Feb 12 2025(Updated: )

An authentication bypass in the in the management web interface of Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts. While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS. The attacker must have network access to the management web interface to exploit this issue. You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended critical deployment guidelines (https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431). This issue does not affect Cloud NGFW or Prisma Access software.

Credit: psirt@paloaltonetworks.com

Affected SoftwareAffected VersionHow to fix
Palo Alto PAN-OS
Palo Alto PAN-OS
Palo Alto Networks Cloud NGFW
Palo Alto PAN-OS<10.1.14-h9=10.1.0<10.2.7-h24=10.2.0<11.1.6-h1=11.1.0<11.2.4-h4=11.2.0
10.1.14-h9
10.2.7-h24
10.2.8-h21
10.2.9-h21
10.2.12-h6
10.2.13-h3
10.2.10-h14
10.2.11-h12
11.1.6-h1
11.1.2-h18
11.1.4-h13
11.2.4-h4
11.2.5
Prisma
Palo Alto Networks PAN-OS>=10.1.0<10.1.14
Palo Alto Networks PAN-OS>=10.2.0<10.2.7
Palo Alto Networks PAN-OS>=10.2.10<10.2.12
Palo Alto Networks PAN-OS>=11.2.0<11.2.4
Palo Alto Networks PAN-OS=10.1.14
Palo Alto Networks PAN-OS=10.1.14-h1
Palo Alto Networks PAN-OS=10.1.14-h2
Palo Alto Networks PAN-OS=10.1.14-h3
Palo Alto Networks PAN-OS=10.1.14-h4
Palo Alto Networks PAN-OS=10.1.14-h5
Palo Alto Networks PAN-OS=10.1.14-h6
Palo Alto Networks PAN-OS=10.1.14-h7
Palo Alto Networks PAN-OS=10.1.14-h8
Palo Alto Networks PAN-OS=10.2.7
Palo Alto Networks PAN-OS=10.2.7-h1
Palo Alto Networks PAN-OS=10.2.7-h10
Palo Alto Networks PAN-OS=10.2.7-h11
Palo Alto Networks PAN-OS=10.2.7-h12
Palo Alto Networks PAN-OS=10.2.7-h13
Palo Alto Networks PAN-OS=10.2.7-h14
Palo Alto Networks PAN-OS=10.2.7-h15
Palo Alto Networks PAN-OS=10.2.7-h16
Palo Alto Networks PAN-OS=10.2.7-h17
Palo Alto Networks PAN-OS=10.2.7-h18
Palo Alto Networks PAN-OS=10.2.7-h19
Palo Alto Networks PAN-OS=10.2.7-h2
Palo Alto Networks PAN-OS=10.2.7-h20
Palo Alto Networks PAN-OS=10.2.7-h21
Palo Alto Networks PAN-OS=10.2.7-h22
Palo Alto Networks PAN-OS=10.2.7-h23
Palo Alto Networks PAN-OS=10.2.7-h3
Palo Alto Networks PAN-OS=10.2.7-h4
Palo Alto Networks PAN-OS=10.2.7-h5
Palo Alto Networks PAN-OS=10.2.7-h6
Palo Alto Networks PAN-OS=10.2.7-h7
Palo Alto Networks PAN-OS=10.2.7-h8
Palo Alto Networks PAN-OS=10.2.7-h9
Palo Alto Networks PAN-OS=10.2.8
Palo Alto Networks PAN-OS=10.2.8
Palo Alto Networks PAN-OS=10.2.8-h1
Palo Alto Networks PAN-OS=10.2.8-h10
Palo Alto Networks PAN-OS=10.2.8-h11
Palo Alto Networks PAN-OS=10.2.8-h12
Palo Alto Networks PAN-OS=10.2.8-h13
Palo Alto Networks PAN-OS=10.2.8-h14
Palo Alto Networks PAN-OS=10.2.8-h15
Palo Alto Networks PAN-OS=10.2.8-h16
Palo Alto Networks PAN-OS=10.2.8-h17
Palo Alto Networks PAN-OS=10.2.8-h18
Palo Alto Networks PAN-OS=10.2.8-h19
Palo Alto Networks PAN-OS=10.2.8-h2
Palo Alto Networks PAN-OS=10.2.8-h20
Palo Alto Networks PAN-OS=10.2.8-h3
Palo Alto Networks PAN-OS=10.2.8-h4
Palo Alto Networks PAN-OS=10.2.8-h5
Palo Alto Networks PAN-OS=10.2.8-h6
Palo Alto Networks PAN-OS=10.2.8-h7
Palo Alto Networks PAN-OS=10.2.8-h8
Palo Alto Networks PAN-OS=10.2.8-h9
Palo Alto Networks PAN-OS=10.2.9
Palo Alto Networks PAN-OS=10.2.9-h1
Palo Alto Networks PAN-OS=10.2.9-h11
Palo Alto Networks PAN-OS=10.2.9-h12
Palo Alto Networks PAN-OS=10.2.9-h13
Palo Alto Networks PAN-OS=10.2.9-h14
Palo Alto Networks PAN-OS=10.2.9-h15
Palo Alto Networks PAN-OS=10.2.9-h16
Palo Alto Networks PAN-OS=10.2.9-h17
Palo Alto Networks PAN-OS=10.2.9-h18
Palo Alto Networks PAN-OS=10.2.9-h19
Palo Alto Networks PAN-OS=10.2.9-h2
Palo Alto Networks PAN-OS=10.2.9-h20
Palo Alto Networks PAN-OS=10.2.9-h3
Palo Alto Networks PAN-OS=10.2.9-h4
Palo Alto Networks PAN-OS=10.2.9-h5
Palo Alto Networks PAN-OS=10.2.9-h6
Palo Alto Networks PAN-OS=10.2.9-h7
Palo Alto Networks PAN-OS=10.2.9-h8
Palo Alto Networks PAN-OS=10.2.9-h9
Palo Alto Networks PAN-OS=10.2.10-h1
Palo Alto Networks PAN-OS=10.2.10-h10
Palo Alto Networks PAN-OS=10.2.10-h11
Palo Alto Networks PAN-OS=10.2.10-h12
Palo Alto Networks PAN-OS=10.2.10-h13
Palo Alto Networks PAN-OS=10.2.10-h14
Palo Alto Networks PAN-OS=10.2.10-h2
Palo Alto Networks PAN-OS=10.2.10-h3
Palo Alto Networks PAN-OS=10.2.10-h4
Palo Alto Networks PAN-OS=10.2.10-h5
Palo Alto Networks PAN-OS=10.2.10-h6
Palo Alto Networks PAN-OS=10.2.10-h7
Palo Alto Networks PAN-OS=10.2.10-h8
Palo Alto Networks PAN-OS=10.2.10-h9
Palo Alto Networks PAN-OS=10.2.11-h1
Palo Alto Networks PAN-OS=10.2.11-h10
Palo Alto Networks PAN-OS=10.2.11-h11
Palo Alto Networks PAN-OS=10.2.11-h2
Palo Alto Networks PAN-OS=10.2.11-h3
Palo Alto Networks PAN-OS=10.2.11-h4
Palo Alto Networks PAN-OS=10.2.11-h5
Palo Alto Networks PAN-OS=10.2.11-h6
Palo Alto Networks PAN-OS=10.2.11-h7
Palo Alto Networks PAN-OS=10.2.11-h8
Palo Alto Networks PAN-OS=10.2.11-h9
Palo Alto Networks PAN-OS=10.2.12
Palo Alto Networks PAN-OS=10.2.12-h1
Palo Alto Networks PAN-OS=10.2.12-h2
Palo Alto Networks PAN-OS=10.2.12-h3
Palo Alto Networks PAN-OS=10.2.12-h4
Palo Alto Networks PAN-OS=10.2.12-h5
Palo Alto Networks PAN-OS=10.2.13
Palo Alto Networks PAN-OS=10.2.13-h1
Palo Alto Networks PAN-OS=10.2.13-h2
Palo Alto Networks PAN-OS=11.1.0
Palo Alto Networks PAN-OS=11.1.1
Palo Alto Networks PAN-OS=11.1.2
Palo Alto Networks PAN-OS=11.1.2-h1
Palo Alto Networks PAN-OS=11.1.2-h10
Palo Alto Networks PAN-OS=11.1.2-h11
Palo Alto Networks PAN-OS=11.1.2-h12
Palo Alto Networks PAN-OS=11.1.2-h13
Palo Alto Networks PAN-OS=11.1.2-h14
Palo Alto Networks PAN-OS=11.1.2-h15
Palo Alto Networks PAN-OS=11.1.2-h16
Palo Alto Networks PAN-OS=11.1.2-h17
Palo Alto Networks PAN-OS=11.1.2-h2
Palo Alto Networks PAN-OS=11.1.2-h3
Palo Alto Networks PAN-OS=11.1.2-h4
Palo Alto Networks PAN-OS=11.1.2-h5
Palo Alto Networks PAN-OS=11.1.2-h6
Palo Alto Networks PAN-OS=11.1.2-h7
Palo Alto Networks PAN-OS=11.1.2-h8
Palo Alto Networks PAN-OS=11.1.2-h9
Palo Alto Networks PAN-OS=11.1.3
Palo Alto Networks PAN-OS=11.1.4
Palo Alto Networks PAN-OS=11.1.4-h1
Palo Alto Networks PAN-OS=11.1.4-h10
Palo Alto Networks PAN-OS=11.1.4-h11
Palo Alto Networks PAN-OS=11.1.4-h12
Palo Alto Networks PAN-OS=11.1.4-h2
Palo Alto Networks PAN-OS=11.1.4-h3
Palo Alto Networks PAN-OS=11.1.4-h4
Palo Alto Networks PAN-OS=11.1.4-h5
Palo Alto Networks PAN-OS=11.1.4-h6
Palo Alto Networks PAN-OS=11.1.4-h7
Palo Alto Networks PAN-OS=11.1.4-h8
Palo Alto Networks PAN-OS=11.1.4-h9
Palo Alto Networks PAN-OS=11.1.5
Palo Alto Networks PAN-OS=11.1.6
Palo Alto Networks PAN-OS=11.2.4
Palo Alto Networks PAN-OS=11.2.4-h1
Palo Alto Networks PAN-OS=11.2.4-h2
Palo Alto Networks PAN-OS=11.2.4-h3

Remedy

Version Minor Version Suggested Solution PAN-OS 10.1 10.1.0 through 10.1.14 Upgrade to 10.1.14-h9 or later PAN-OS 10.2 10.2.0 through 10.2.13 Upgrade to 10.2.13-h3 or later  10.2.7Upgrade to 10.2.7-h24 or 10.2.13-h3 or later 10.2.8Upgrade to 10.2.8-h21 or 10.2.13-h3 or later 10.2.9Upgrade to 10.2.9-h21 or 10.2.13-h3 or later 10.2.10Upgrade to 10.2.10-h14 or 10.2.13-h3 or later 10.2.11Upgrade to 10.2.11-h12 or 10.2.13-h3 or later  10.2.12Upgrade to 10.2.12-h6 or 10.2.13-h3 or later PAN-OS 11.0 (EoL) Upgrade to a supported fixed versionPAN-OS 11.1 11.1.0 through 11.1.6 Upgrade to 11.1.6-h1 or later  11.1.2Upgrade to 11.1.2-h18 or 11.1.6-h1 or later PAN-OS 11.2 11.2.0 through 11.2.4 Upgrade to 11.2.4-h4 or laterNote: PAN-OS 11.0 reached end of life (EoL) on November 17, 2024. No additional fixes are planned for this release.

Remedy

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Remedy

Recommended mitigation—The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our critical deployment guidelines (https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431). Specifically, you should restrict management interface access to only trusted internal IP addresses. Review information about how to secure management access to your Palo Alto Networks firewalls: * Palo Alto Networks LIVEcommunity article:https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 * Palo Alto Networks official and detailed technical documentation:https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices Additionally, customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 510000 and 510001 (introduced in Applications and Threats content version 8943).

Remedy

VERSION MINOR VERSION SUGGESTED SOLUTION PAN-OS 10.1 10.1.0 through 10.1.14 Upgrade to 10.1.14-h9 or later PAN-OS 10.2 10.2.0 through 10.2.13 Upgrade to 10.2.13-h3 or later   10.2.7 Upgrade to 10.2.7-h24 or 10.2.13-h3 or later   10.2.8 Upgrade to 10.2.8-h21 or 10.2.13-h3 or later   10.2.9 Upgrade to 10.2.9-h21 or 10.2.13-h3 or later   10.2.10 Upgrade to 10.2.10-h14 or 10.2.13-h3 or later   10.2.11 Upgrade to 10.2.11-h12 or 10.2.13-h3 or later    10.2.12 Upgrade to 10.2.12-h6 or 10.2.13-h3 or later PAN-OS 11.0 (EoL)   Upgrade to a supported fixed version PAN-OS 11.1 11.1.0 through 11.1.6 Upgrade to 11.1.6-h1 or later   11.1.2 Upgrade to 11.1.2-h18 or 11.1.6-h1 or later   11.1.4 Upgrade to 11.1.4-h13 or 11.1.6-h1 or later PAN-OS 11.2 11.2.0 through 11.2.4 Upgrade to 11.2.5 or later   11.2.4 Upgrade to 11.2.4-h4 or 11.2.5 or later All other older   Upgrade to a supported fixed version. unsupported PAN-OS versions

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Peer vulnerabilities

(Found alongside the following vulnerabilities)

Frequently Asked Questions

  • What is the severity of CVE-2025-0108?

    CVE-2025-0108 is categorized as a critical vulnerability due to the potential for unauthenticated access to sensitive management features.

  • How do I fix CVE-2025-0108?

    To remediate CVE-2025-0108, upgrade to the latest patched versions of PAN-OS: 10.1.14-h9, 10.2.13-h3, 11.1.6-h1, or 11.2.4-h4.

  • What products are affected by CVE-2025-0108?

    The affected products include Palo Alto Networks PAN-OS, Cloud NGFW, and Prisma Access.

  • Can CVE-2025-0108 be exploited remotely?

    Yes, an attacker with network access can exploit CVE-2025-0108 remotely to bypass authentication on the management web interface.

  • What type of attack is CVE-2025-0108 associated with?

    CVE-2025-0108 is associated with authentication bypass attacks that allow unauthorized access to management functionalities.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203