- Palo Alto Networks fixes authentication bypass PAN-OS flaw
- A day after the patch was released, criminals started looking for vulnerable endpoints
- The flaw allows them to run different PHP scripts
A vulnerability in Palo Alto Networks firewalls is being abused in in-the-wild attacks, researchers are saying.
The company recently found, and fixed, an authentication bypass vulnerability in its PAN-OS firewalls. The flaw, tracked as CVE-2025-0108, has a severity score of 8.8/10 (high), and was said to affect multiple versions of the product.
It released a fix on February 12, 2025, urging users to upgrade their firewalls to these versions:
11.2.4-h4 or later
11.1.6-h1 or later
10.2.13-h3 or later
10.1.14-h9 or later
Exploit attempts
The vulnerability impacts the PAN-OS management web interface, and allows malicious actors to run different PHP scripts. This, in turn enables sensitive data exfiltration, firewall configuration tampering, and more.
Now, researchers from the security outlet GreyNoise said they observed attempts to exploit the flaw on unpatched endpoints. The attacks, they said, started a day after Palo Alto Networks released the patch (February 13), and came from multiple IP addresses, which could suggest that more attackers picked up on the vulnerability at the same time.
Citing information from Macnica researcher Yutaka Sejiyama, BleepingComputer reported that the attack surface likely counts more than 4,400 devices.
To protect the firewalls, users should apply the patch as soon as possible, and restrict access to the product’s interface, as soon as possible.
Firewalls used by SMBs are often targets because these types of businesses typically have weaker security configurations and outdated firmware. Many SMBs lack dedicated IT teams, leading to misconfigured firewall rules that create vulnerabilities. Furthermore, threat actors can use firewalls as entry points to bypass network defenses and gain deeper access to internal systems. Once compromised, firewalls can be used to intercept sensitive data, launch further attacks, or disable security measures altogether.
Via BleepingComputer
