Urgent Security Alert: Exploitation of Authentication Bypass Flaw in Palo Alto Networks PAN-OS

Cybersecurity Alert: Exploitation of Critical Flaw in Palo Alto Networks PAN-OS

In a growing cyber threat, attackers are exploiting a critical authentication bypass vulnerability identified in Palo Alto Networks’ PAN-OS software, allowing unauthorized users to circumvent security measures and execute specific PHP scripts. Designated as CVE-2025-0108, this zero-day flaw was disclosed on February 12 and is now of significant concern for cybersecurity professionals.

The Cybersecurity and Infrastructure Security Agency (CISA), alongside numerous security researchers, has reported a surge in attacks leveraging this vulnerability, affecting various PAN-OS versions including v11.2, v11.1, v10.2, and v10.1. Despite patches being released to remediate the issue, researchers from GreyNoise noted a dramatic increase in malicious IP addresses targeting vulnerable systems—from just two on February 13 to 25 by February 18—underscoring the urgency of the situation.

This flaw enables attackers to access the management interface of PAN-OS firewall devices, potentially compromising system integrity and confidentiality. Although the PHP scripts invoked do not directly facilitate remote code execution, they can lead to further exploits if other vulnerabilities are present. Industry experts have observed instances where CVE-2025-0108 was combined with two additional flaws, demonstrating attackers’ readiness to exploit every avenue.

Experts emphasize the importance of immediate action. "Organizations relying on PAN-OS firewalls should assume that unpatched devices are being targeted," cautioned Noah Stone of GreyNoise Intelligence. CISA’s addition of this vulnerability to its Known Exploited Vulnerabilities Catalog signals a critical call to action for affected organizations to implement available patches promptly.

For the safety of sensitive data and network integrity, it is imperative that organizations not only apply updates but also restrict access to the management interface, thus fortifying their defenses against this alarming and active threat.