CVE-2025-0108
Published: 12 February 2025
Summary
CVE-2025-0108 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Paloaltonetworks Pan-Os. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Monitors and controls communications at system boundaries to restrict network access to the PAN-OS management web interface to trusted internal IPs, directly implementing the vendor's primary risk reduction recommendation.
Requires timely flaw remediation through installation of the available PAN-OS patch, eliminating the authentication bypass vulnerability.
Establishes and authorizes remote access to management functions like the web interface, enforcing controls that limit exposure even if the interface is accessible.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-0108 enables unauthenticated access to PAN-OS management web interface (T1190, T1210). Chained exploitation facilitates collection of local data including configuration files (T1005, T1602.002).
NVD Description
An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts. While…
more
invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS. You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue does not affect Cloud NGFW or Prisma Access software.
Deeper analysisAI
CVE-2025-0108 is an authentication bypass vulnerability in the Palo Alto Networks PAN-OS software, affecting the management web interface. Published on 2025-02-12, it allows an unauthenticated attacker with network access to bypass authentication and invoke certain PHP scripts. While this does not enable remote code execution, it can negatively impact the integrity and confidentiality of PAN-OS. The vulnerability does not affect Cloud NGFW or Prisma Access software and is associated with CWE-306 (Missing Authentication for Critical Function), earning a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
An unauthenticated attacker who has network access to the exposed PAN-OS management web interface can exploit this vulnerability with low complexity and no privileges required. Successful exploitation enables the attacker to invoke specific PHP scripts, potentially compromising the confidentiality and integrity of the firewall configuration or data without disrupting availability.
Palo Alto Networks advisories recommend greatly reducing risk by restricting management web interface access to only trusted internal IP addresses, following their best practices deployment guidelines. A patch is available via the official security advisory at https://security.paloaltonetworks.com/CVE-2025-0108.
Notable context includes a public proof-of-concept exploit available on GitHub at https://github.com/iSee857/CVE-2025-0108-PoC, and reports indicating active exploitation in the wild, with Palo Alto Networks tagging the flaw as exploited and CISA researchers urging immediate patching.
Details
- CWE(s)
- KEV Date Added
- 18 February 2025