Palo Alto Networks PAN-OS, management web interface authentication bypass

Overview

CVE-2025-0108 is a critical (CVSS 9.1) authentication bypass in the management web interface of Palo Alto Networks PAN-OS, the operating system powering Palo Alto next-generation firewalls. An unauthenticated attacker with network access to the management web interface can bypass the authentication it normally requires and invoke certain PHP scripts. While invoking these scripts does not by itself enable remote code execution, it can negatively impact the integrity and confidentiality of PAN-OS. NVD published the record on February 12, 2025, and CISA added the CVE to its Known Exploited Vulnerabilities catalog on February 18, 2025 after Palo Alto observed exploit attempts chaining it with other PAN-OS flaws. Cloud NGFW and Prisma Access are unaffected.

Technical Details

The weakness is classified as CWE-306 (missing authentication for critical function). The vulnerability arises from a path-confusion discrepancy between the Nginx and Apache components fronting the PAN-OS management web interface, which allows requests to reach and execute certain PHP scripts without passing the authentication that the interface would otherwise enforce. Exploitation requires network access to the management interface but no valid credentials and no user interaction. The NVD primary (NIST) assessment is CVSS 3.1 with a base score of 9.1 and vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N; Palo Alto Networks, as the CNA, assigned a CVSS 4.0 base score of 8.8. Attackers were observed chaining this bypass with other vulnerabilities (such as CVE-2024-9474) to amplify impact on unpatched systems.

Impact

• Unauthenticated invocation of PAN-OS management PHP scripts, bypassing the interface's authentication.
• Disclosure of sensitive configuration and system data, impacting confidentiality.
• Unauthorized changes to firewall state, impacting integrity.
• A foothold that attackers chained with other PAN-OS flaws to escalate impact.

Mitigation

1. Upgrade PAN-OS 10.1 to 10.1.14-h9 or later.
2. Upgrade PAN-OS 10.2 to the applicable fixed maintenance release (for example 10.2.7-h24, 10.2.8-h21, 10.2.9-h21, 10.2.10-h14, 10.2.11-h12, 10.2.12-h6, 10.2.13-h3) or later.
3. Upgrade PAN-OS 11.1 to the applicable fixed maintenance release (for example 11.1.2-h18, 11.1.4-h13, 11.1.6-h1) or later, and PAN-OS 11.2 to 11.2.4-h4, 11.2.5, or later.
4. Restrict access to the management web interface to only trusted internal IP addresses per Palo Alto's best-practice guidance; do not expose the management interface to the internet.

Detection

Review PAN-OS management web interface access logs for unauthenticated requests that reach PHP scripts, for requests exhibiting path-confusion patterns (unusual path segments, encoded traversal, or mismatched routing between front-end and back-end), and for access from untrusted source addresses. Because attackers chained CVE-2025-0108 with other PAN-OS vulnerabilities, correlate suspicious management-plane requests with subsequent configuration changes, new or modified administrator accounts, and indicators associated with CVE-2024-9474 or CVE-2025-0111. Determine whether the management interface was ever reachable from untrusted networks or the internet, as exposure greatly increases the likelihood of exploitation; Palo Alto and CISA both emphasize restricting management access to trusted internal addresses. Inspect the firewall for unexpected configuration drift, exported configuration or log data, and signs that scripts were invoked outside normal administrative activity. Confirm the running PAN-OS build against the fixed versions in Palo Alto's advisory, since a patched build is the only reliable indicator the bypass is closed. Open-source proof-of-concept exploits and active scanning followed disclosure, so unpatched, exposed interfaces should be considered probable targets. CISA added CVE-2025-0108 to the Known Exploited Vulnerabilities catalog on February 18, 2025; any firewall whose management interface was exposed while unpatched warrants a configuration-integrity review, hunting for chained exploitation, and rotation of administrative credentials and API keys. To operationalize this, begin with an exposure inventory: identify every PAN-OS firewall, determine which management web interfaces were reachable from untrusted networks while unpatched, and prioritize those, since exposure is the single biggest risk amplifier for this bug; Cloud NGFW and Prisma Access are out of scope. Because attackers chained this bypass with CVE-2024-9474 and CVE-2025-0111, build correlation rules linking a suspicious management request to follow-on events such as configuration export, new or modified administrator accounts, changed management profiles, or file writes, since the chain is where real impact occurs. Review the configuration audit log for changes that do not map to legitimate administration, and compare the running configuration against a known-good baseline to surface drift. Confirm that management-interface access is now restricted to trusted internal IP addresses per Palo Alto and CISA guidance. Treat eradication as incomplete until the firewall is patched, the management interface is no longer exposed to untrusted networks, administrative credentials and API keys are rotated, and the device has been reviewed for evidence of chained exploitation.