What is Palo Alto Networks PAN-OS?
Palo Alto Networks PAN-OS is the operating system powering Palo Alto's next-generation firewalls (NGFWs) and Panorama management servers — some of the most widely deployed enterprise perimeter security appliances in the world. PAN-OS devices are deployed as network gateways, VPN terminators, and security inspection engines at the perimeter of enterprise networks. The management web interface allows administrators to configure and monitor the appliance remotely.
When the management interface is exposed to the internet — a configuration explicitly discouraged by Palo Alto but observed in thousands of deployments — it becomes a direct attack surface for pre-authentication vulnerabilities.
Overview
CVE-2025-0108 is a missing authentication vulnerability (CWE-306) in the PAN-OS management web interface that allows an unauthenticated attacker with network access to the interface to bypass authentication and invoke certain PHP scripts. When chained with CVE-2025-0109 (file read via path traversal) and CVE-2025-0110 (OS command injection), attackers achieve unauthenticated remote code execution. Active exploitation was confirmed within days of patch release.
Affected Versions
| PAN-OS Version | Vulnerable | Fixed |
|---|---|---|
| 11.2.x | < 11.2.4-h4 | 11.2.4-h4 |
| 11.1.x | < 11.1.6-h1 | 11.1.6-h1 |
| 11.0.x | < 11.0.6-h1 | 11.0.6-h1 |
| 10.2.x | < 10.2.13-h3 | 10.2.13-h3 |
| 10.1.x | < 10.1.14-h9 | 10.1.14-h9 |
Scope: Only applies when the management web interface (port 443) is accessible from the network. Devices with the management interface restricted to a dedicated out-of-band management network are protected.
Technical Details
The authentication bypass (CWE-306) exploits a discrepancy between how Nginx (the front-end web server) and Apache (the back-end application server) handle certain HTTP requests in the management web interface. By sending a specially crafted HTTP request with a path that Nginx forwards differently than Apache expects, an attacker can reach PHP scripts behind the authentication layer without presenting valid credentials. The PHP scripts invoked can perform sensitive management operations.
Three-CVE attack chain:
- CVE-2025-0108 (this CVE): Bypass authentication → invoke PHP scripts without credentials
- CVE-2025-0109 (CVSS 7.1): Read arbitrary files from the filesystem via path traversal in an authenticated endpoint (now reachable post-bypass)
- CVE-2025-0110 (CVSS 7.3): OS command injection in the OpenConfig plugin — when chained after 0108, achieves unauthenticated RCE
The three CVEs were patched simultaneously; all three must be applied to close the full attack chain.
Discovery
Assetnote researchers identified and reported CVE-2025-0108 to Palo Alto Networks. Assetnote published technical analysis of the Nginx/Apache request handling discrepancy after the patch was released.
Exploitation Context
Active exploitation was confirmed within days of the February 12, 2025 patch release. Greynoise and Shadowserver observed widespread scanning for vulnerable management interfaces. Multiple threat actors independently developed exploits, and public proof-of-concept code appeared within 48 hours of disclosure.
Palo Alto Networks data showed thousands of internet-exposed PAN-OS management interfaces at the time of the advisory. Organizations that followed Palo Alto's recommended network configuration (restricting management interface access) were not exposed.
Remediation
- Apply patches immediately per the affected version table above. The CISA deadline was March 11, 2025.
- Restrict management interface access — this is the most effective mitigation. The management web interface (port 443) should only be accessible from a dedicated out-of-band management network, never from the internet. Verify via Security → Telemetry in the web UI.
- Apply patches for CVE-2025-0109 and CVE-2025-0110 simultaneously — patching only CVE-2025-0108 without the companion CVEs leaves the chain partially open.
- Review management interface access logs for anomalous unauthenticated requests to PHP scripts; look for requests without session cookies or with malformed authentication headers.
- Enable Threat Prevention signatures for CVE-2025-0108 if running an older PAN-OS version while staging the patch rollout.
- Check for signs of follow-on exploitation in the OpenConfig plugin if CVE-2025-0110 is also applicable to your deployment.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-0108 |
| Vendor / Product | Palo Alto Networks — PAN-OS |
| NVD Published | 2025-02-12 |
| NVD Last Modified | 2025-11-04 |
| CVSS 3.1 Score | 9.1 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| Severity | CRITICAL |
| CWE | CWE-306 find similar ↗ |
| CISA KEV Added | 2025-02-18 |
| CISA KEV Deadline | 2025-03-11 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-02-12 | CVE published; Palo Alto Networks releases patches |
| 2025-02-18 | Added to CISA Known Exploited Vulnerabilities catalog; active exploitation confirmed |
| 2025-03-11 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Palo Alto Networks Security Advisory — CVE-2025-0108 | Vendor Advisory |
| NVD — CVE-2025-0108 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Palo Alto Unit 42 — CVE-2025-0108 Analysis | Security Research |
| Rapid7 ETR — PAN-OS Authentication Bypass | Security Research |