64/68 Monday, February 17, 2025
Hackers are actively exploiting CVE-2025-0108, a vulnerability in Palo Alto Networks’ PAN-OS firewall, which allows attackers to bypass authentication and gain access to the web-based management system without requiring a password. While this vulnerability does not enable remote code execution directly, it poses a significant security risk to sensitive data. Researchers from the Shadowserver Foundation detected exploitation attempts targeting this flaw as early as February 13, 2024, using recently released proof-of-concept (PoC) code.
The vulnerability was discovered by Assetnote, which conducted an in-depth analysis and reported the issue to Palo Alto Networks. Researchers found that CVE-2025-0108 stems from improper URL decoding in PAN-OS, leading to an authentication bypass. The core weakness arises from discrepancies in how Nginx and Apache process requests, resulting in a directory traversal vulnerability that allows unauthorized execution of PHP scripts. Additionally, since Nginx disables authentication for certain parts of the system, attackers can access the PAN-OS management interface without valid credentials.
Palo Alto Networks has urged organizations to immediately update to secure versions and restrict access to the management interface to internal networks to mitigate risks. The patched versions include PAN-OS 11.2.4-h4, 11.1.6-h1, 10.2.13-h3, and 10.1.14-h9. Administrators should also review security configurations and monitor for any unusual activity within their systems to prevent potential damage.
Source https://securityaffairs.com/174237/hacking/exploitation-palo-alto-networks-pan-os-firewalls-bug.html
