Emerging Threat: PAN-OS CVE-2025-0108

What is CVE-2025-0108? 

On February 12, 2025, Palo Alto Networks announced CVE-2025-0108, a high severity (8.8) authentication bypass vulnerability affecting Palo Alto Networks PAN-OS management web interface. 

Successful exploitation of this vulnerability allows unauthenticated attackers with network access to invoke certain PHP scripts without proper authentication. While it does not lead to remote code execution, it impacts the confidentiality and integrity of the affected system.  

What assets are affected by CVE-2025-0108? 

Cloud NGFW and Prisma Access assets are not affected by this vulnerability. The following PAN-OS versions are affected by CVE-2025-0108: 

• PAN-OS 10.1: 10.1.0 through 10.1.14
• PAN-OS 10.2: 10.2.0 through 10.2.13
• PAN-OS 11.1: 11.1.0* through 11.1.6
• PAN-OS 11.2: 11.2.0 through 11.2.4

Note that PAN-OS 11.0 reached end of life (EOL) in November 2024. Because of this, no additional fixes will be released for this version and users are advised to upgrade to a supported version. 

Are fixes available? 

Palo Alto Networks has released patches for CVE-2025-0108: 

• PAN-OS 11.2: Upgrade to 11.2.4-h4 or later
• PAN-OS 11.1: Upgrade to 11.1.6-h1 or later
• PAN-OS 10.2: Upgrade to 10.2.13-h3 or later
• PAN-OS 10.1: Upgrade to 10.1.14-h9 or later

Are there any other recommended actions to take? 

Palo Alto Networks had indicated that the risk from this vulnerability is highest if traffic from external IP addresses is able to access the management interface, either directly or through a dataplane interface that includes a management interface portal. This risk can be reduced by using a jump box to restrict access to only trusted IP addresses.  

Is CVE-2025-0108 being actively exploited? 

There is a public proof of concept (PoC) available for CVE-2025-0108. Palo Alto Networks also has observed active attempts to exploit this vulnerability in the wild, including attempts to chain CVE-2025-0108 to CVE-2024-9474 on unpatched and unsecured PAN-OS web management interfaces. 

How is CyCognito helping customers identify assets vulnerable to CVE-2025-0108? 

CyCognito published an emerging threat advisory within the CyCognito platform and advises customers to review assets running PAN-OS management services on HTTP/HTTPS ports (e.g., TCP/443, TCP/4443) to assess exposure, even if they are not explicitly identified as running vulnerable versions. While HTTPS is the standard for secure access to the PAN-OS management web interface, HTTP may still be in use due to misconfigurations or non-standard deployments. 

Figure 1: The alert sent by CyCognito for CVE-2025-0108

How can CyCognito help your organization? 

CyCognito is an exposure management platform that reduces risk by discovering, testing and prioritizing security issues. The platform scans billions of websites, cloud applications and APIs and uses advanced AI to identify the most critical risks and guide remediation. Emerging companies, government agencies and Fortune 500 organizations rely on CyCognito to secure and protect from growing threats. Want to see how it works? Check out our website and explore our platform with a self-guided, interactive dashboard product tour. To learn how CyCognito can help you understand your external attack surface and exposed risks, please visit our Contact Us page to schedule a demo.