Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2025-0108
CVE-2025-0108:
PAN-OS vulnerability analysis and mitigation
Overview
An authentication bypass vulnerability (CVE-2025-0108) was discovered in the management web interface of Palo Alto Networks PAN-OS software. The vulnerability, disclosed on February 12, 2025, enables an unauthenticated attacker with network access to bypass authentication and invoke certain PHP scripts. The vulnerability affects PAN-OS versions 10.1, 10.2, 11.1, and 11.2, while Cloud NGFW and Prisma Access software remain unaffected. The flaw was discovered by Adam Kues from the Assetnote Security Research Team (PAN Advisory).
Technical details
The vulnerability stems from a path confusion issue between Nginx and Apache components in the PAN-OS management interface. The authentication is set at the Nginx level based on HTTP headers, but the request is then re-processed in Apache, which may process the path or headers differently. This discrepancy in path processing between Nginx and Apache components allows attackers to bypass authentication controls. The vulnerability has been assigned a CVSS score of 8.8 (HIGH) and is being actively exploited in the wild (Searchlight Cyber).
Impact
While the vulnerability itself does not enable remote code execution directly, it can negatively impact the integrity and confidentiality of PAN-OS when exploited. The risk is highest when management interface access is allowed from external IP addresses on the internet. When chained with other vulnerabilities like CVE-2024-9474 and CVE-2025-0111, attackers can gain unauthorized access to unpatched and unsecured firewalls (SecurityWeek).
Mitigation and workarounds
Palo Alto Networks has released patches for affected versions: PAN-OS 11.2.4-h4 or later, PAN-OS 11.1.6-h1 or later, PAN-OS 10.2.13-h3 or later, and PAN-OS 10.1.14-h9 or later. The recommended mitigation is to restrict management interface access to only trusted internal IP addresses according to critical deployment guidelines. Additionally, customers with a Threat Prevention subscription can block attacks by enabling Threat ID 510000 and 510001 (PAN Advisory).
Community reactions
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added CVE-2025-0108 to its 'Known Exploited Vulnerabilities' (KEV) catalog, requiring federal agencies to apply patches or mitigations by March 11, 2025. Security researchers and threat intelligence firms have actively tracked and reported on exploitation attempts, with GreyNoise observing an increase in malicious activity from 2 to 25 unique IP addresses within days of disclosure (BleepingComputer).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management