Palo Alto Networks warns of new critical vulnerability

CVE-2025-0108 already being targeted by hackers with users urged to apply latest patches ASAP

Palo Alto Networks has warned that a recently published critical vulnerability in its firewall software is already being actively exploited by hackers.

CVE-2025-0198 was uncovered by security vendor Assetnote while it was analysing previous Palo Alto Networks vulnerabilities and the patches produced to remediate the threat. “As we looked further into the architecture of the management interface, we suspected something was off, even post-patch,” the company wrote in a post.

In the process, the company discovered a zero-day authentication bypass in the PAN-OS management interface.

The company described the flaw as: “An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts.

“While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS.”

In essence, the flaw entails the use of two already identified and patched security flaws – CVE-2024-9474 and CVE-2025-0111 – in order to compromise unpatched PAN-OS management interfaces. Palo Alto Networks has given the flaw a score of 8.8 out of 10 for severity, while admitting that the complexity of the attack is “low”.

The company advises: “This issue is fixed in PAN-OS 10.2.14, PAN-OS 11.0.7, PAN-OS 11.2.5, and all later PAN-OS versions. Internally, this was assigned as PAN-273971. Palo Alto recommends whitelisting IPs in the management interface to prevent this or similar vulnerabilities from being exploited over the internet.”

Cybersecurity firm Greynoise, meanwhile, claims to have observed attempts to exploit the vulnerability in the wild.

“GreyNoise has observed active exploitation attempts targeting a newly disclosed authentication bypass vulnerability, CVE-2025-0108, affecting Palo Alto Networks PAN-OS. This high-severity flaw allows unauthenticated attackers to execute specific PHP scripts, potentially leading to unauthorized access to vulnerable systems,” it warned.

It issued three steps that ought to be taken by Palo Alto Networks firewall users as a matter of urgency.

First, apply the security patches for PAN-OS as soon as possible. Second, restrict access to firewall management interfaces and to ensure that they are not publicly exposed. Finally, of course, monitor active exploitation trends in the wild using tools from companies like Greynoise.

Computing reported on the vulnerabilities and the wave of attacks on PAN-OS that followed when the first were published in November.

Want to know more? Computing 's Cybersecurity Festival returns to London in May, where senior IT decision makers can learn about modern challenges, compare strategies with peers, and source solutions. Click here to register for free.