NEWS

CVE-2025-0108 is a high-severity authentication bypass vulnerability affecting Palo Alto’s PAN-OS, the operating system for their next-generation firewalls. This flaw allows an unauthenticated attacker with network access to the PAN-OS management web interface to bypass authentication controls and execute restricted PHP scripts. The vulnerability arises from improper handling of authentication enforcement within the web management interface, specifically due to discrepancies in how Nginx and Apache process HTTP requests. While this flaw does not allow direct remote code execution, it can compromise the integrity and confidentiality of the system, potentially exposing sensitive configuration data or enabling further exploitation when chained with other vulnerabilities.

Affected PAN-OS versions include those prior to, but not including PAN-OS 11.2.4-h4, PAN-OS 11.1.6-h1, PAN-OS 10.2.13-h3 and PAN-OS 10.1.14-h9. Prisma Access and Cloud NGFW instances are unaffected. The vulnerability was assigned a CVSS score of 8.8, underscoring the severe impact on system confidentiality, integrity, and availability. This vulnerability, chained with other vulnerabilities, could allow unauthorized access to unpatched and unsecured firewalls. (Security Week, 2025; Palo Alto, 2025).

Vulnerability Type (CWE)

CWE-306 Missing Authentication for Critical Function

CVSS Score

8.8 (High)

Impacted Versions

• PAN-OS 11.2 – Versions prior to 11.2.4-h4
• PAN-OS 11.1 – Versions prior to 11.1.6-h1
• PAN-OS 10.2 – Versions prior to 10.2.13-h3
• PAN-OS 10.1 – Versions prior to 10.1.14-h9

Mitigation Steps

1. Immediate Patching:
   • Upgrade PAN-OS to the latest patched versions:
     • PAN-OS 11.2.4-h4 or later
     • PAN-OS 11.1.6-h1 or later
     • PAN-OS 10.2.13-h3 or later
     • PAN-OS 10.1.14-h9 or later
   • Customers using PAN-OS 11.0 must upgrade to a supported version, as no fixes are planned (Palo Alto, 2025).
2. Restrict Management Interface Access:
   • Secure external-facing management interfaces (Palo Alto, 2025).
   • Restrict management access to only trusted internal IP addresses (Palo Alto, 2025).
3. Enable Threat Prevention Controls:
   • If subscribed to Palo Alto Networks Threat Prevention, enable Threat ID 510000 and 510001 to block exploit attempts (Palo Alto, 2025).
4. Monitor for Exploitation Attempts:
   • Review firewall logs for unauthorized authentication bypass attempts.
   • Identify access requests to PAN-OS management interfaces from untrusted networks.
   • Use threat intelligence feeds to track malicious IP addresses attempting to exploit the vulnerability.

Exploit Process

Prerequisites

• The target firewall must be running an unpatched version of PAN-OS:
  • PAN-OS prior to 11.2.4-h4, 11.1.6-h1, 10.2.13-h3, and 10.1.14-h9.
• The management web interface must be exposed to an attacker’s network.
• The attacker must be able to send HTTP requests to the management interface.

According to Assetnote, the exploitation process is the following:

Step-by-Step Exploitation

Step 1: Understanding the Path Confusion

• The PAN-OS web management interface is handled by Nginx as a reverse proxy before forwarding requests to Apache and mod_php.
• Authentication is enforced using the X-pan-AuthCheck header in Nginx, which is toggled based on the request path.
• Apache, however, reprocesses paths differently, leading to a discrepancy that allows authentication bypass.

Step 2: Crafting the Exploit Request

• The vulnerability can be exploited by double encoding a path traversal sequence.
• A specially crafted URL in the following format can be used:GET /unauth/%252e%252e/php/ztp_gate.php/PAN_help/x.css HTTP/1.1·Host: <TARGET_IP>·Connection: close
• Explanation:
  • %252e%252e → Double encoded version of .. (dot-dot sequence for directory traversal)
  • /unauth/ → Triggers Nginx to disable authentication checks
  • /php/ztp_gate.php → Targets a sensitive PHP script within the management interface
  • PAN_help/x.css → Added to ensure correct internal URL rewriting by Apache

Step 3: Bypassing Authentication

1. Nginx Processing:
   • Decodes %252e%252e once, resulting in /unauth/%2e%2e/php/ztp_gate.php/PAN_help/x.css.
   • Matches /unauth/ rule and disables authentication (X-pan-AuthCheck: off)
   • Forwards request to Apache
2. Apache Processing:
   • Second decoding of %2e%2e results in /unauth/../php/ztp_gate.php/PAN_help/x.css.
   • Apache normalizes the path, resolving it to /php/ztp_gate.php/PAN_help/x.css.
   • The request is now handled as an authenticated request to /php/ztp_gate.php, bypassing authentication

Step 4: Exploiting the Unauthenticated Access

Once the authentication bypass is achieved, an attacker can:

• Access PHP scripts that were intended to be restricted
• Extract sensitive information such as system configuration and credentials
• Chain the attack with other vulnerabilities (e.g., CVE-2024-9474) to achieve full system compromise

Interaction with Other Vulnerabilities

CVE-2025-0108 is particularly dangerous when exploited in conjunction with other vulnerabilities in PAN-OS, notably CVE-2024-9474 and CVE-2025-0111. Attackers have been observed chaining these flaws to escalate privileges and gain deeper system access.

• CVE-2024-9474 (Privilege Escalation, CVSS 6.9): This vulnerability allows an attacker with administrator access to execute commands on the firewall operating system with root privileges. While CVE-2025-0108 alone does not provide direct remote code execution, when combined with CVE-2024-9474, it enables unauthenticated attackers to first bypass authentication and then escalate privileges to root if they gain administrative access (The Register, 2025).
• CVE-2025-0111 (Local File Read, CVSS 7.1): This flaw allows authenticated attackers to read files accessible to the “nobody” user on the system. When chained with CVE-2025-0108, an unauthenticated attacker could first bypass authentication and then use CVE-2025-0111 to read sensitive system files, potentially extracting credentials or configuration details to further compromise the firewall (The Register, 2025).

Timeline

2025-02-12 – Initial announcement, Palo Alto added Threat Prevention Threat ID to Workarounds and Mitigations 2025-02-18 – Palo Alto Networks has confirmed exploitation based on a publicly available PoC.

2025-02-19 – Updated fix availability for PAN-OS 10.2 and 11.1

Centripetal’s Perspective

Centripetal’s CleanINTERNET® service provides a proactive, intelligence-driven defense against vulnerabilities like CVE-2025-0108, which enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts. Leveraging billions of threat indicators, CleanINTERNET® dynamically blocks malicious traffic using real-time global threat feeds and augmented human analysis, proactively protecting organizations from exploitation attempts involving known IoCs. This approach ensures reduced attack surface, enhanced security operations, and uninterrupted business continuity, enabling organizations to adopt a proactive and adaptive cybersecurity strategy against evolving threats.

CVE-2025-0108 is a high severity authentication bypass vulnerability in Palo Alto Networks’ PAN-OS management web interface. The flaw stems from misconfigurations in how Nginx and Apache process HTTP requests, specifically in handling authentication headers and path traversal. By leveraging double URL encoding and path confusion techniques, attackers can bypass authentication and invoke PHP scripts, potentially exposing sensitive data and impacting system integrity. Currently, GreyNoise has identified multiple IP addresses actively exploiting this vulnerability in the wild (GreyNoise, 2025).

Palo Alto Networks has released security patches for supported PAN-OS versions and strongly urges immediate updates. Organizations should apply these patches as soon as possible and follow best practices, including restricting access to the management interface to trusted internal IPs. Continuous monitoring for indicators of compromise (IoCs), such as unusual login attempts or unauthorized script executions, is essential. Strengthening perimeter defenses and reducing exposure of critical management interfaces can significantly mitigate the risk of exploitation.

If you are a current client of Palo Alto please contact support@centripetal.ai.

Centripetal is also pleased to offer Penetration Testing and Vulnerability Assessment services to help organizations identify vulnerabilities and reduce risk. If interested, please contact our Professional Services team at profservs@centripetal.ai or reach out to your Centripetal Account Representative.

Public Resources

• https://security.paloaltonetworks.com/CVE-2025-0108
• https://www.securityweek.com/palo-alto-networks-confirms-exploitation-of-firewall-vulnerability/
• https://www.cve.org/CVERecord?id=CVE-2025-0108
• https://www.assetnote.io/resources/research/nginx-apache-path-confusion-to-auth-bypass-in-pan-os
• https://www.greynoise.io/blog/greynoise-observes-active-exploitation-of-pan-os-authentication-bypass-vulnerability-cve-2025-0108
• https://www.theregister.com/2025/02/19/palo_alto_firewall_attack/