Two critical vulnerabilities in Palo Alto Networks' PAN-OS software are currently being exploited in the wild, posing significant risks to organizations using the affected systems. The vulnerabilities, tracked as CVE-2024-9474 and CVE-2025-0108, have been linked to active ransomware campaigns, with attackers leveraging these flaws to gain unauthorized access and escalate privileges.
CVE-2024-9474 is a high-severity privilege escalation vulnerability with a CVSS score of 7.2. It allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. This vulnerability has been exploited as a zero-day, with attackers taking advantage of it before its disclosure on November 18, 2024. The flaw is listed in the Known Exploited Vulnerabilities (KEV) catalog and has been associated with ransomware groups such as 0apt, Akira, Ransomhub, and Sinobi. Despite its severity, Palo Alto Networks' Cloud NGFW and Prisma Access are not impacted by this vulnerability.
The second vulnerability, CVE-2025-0108, is even more critical, with a CVSS score of 9.1. It involves an authentication bypass that allows unauthenticated attackers with network access to the management web interface to invoke certain PHP scripts without the usual authentication requirements. This vulnerability was disclosed on February 12, 2025, and has been actively exploited within five days of its disclosure. The exploitation of this flaw has been observed by multiple security firms, highlighting its widespread impact and the urgency for remediation.
Arctic Wolf has reported attempts to chain these two vulnerabilities, amplifying the potential damage by combining privilege escalation with authentication bypass. This chaining technique allows attackers to gain initial access through the authentication bypass and then escalate privileges to execute arbitrary commands with root access, significantly increasing the threat level.
GreyNoise and SOC Prime have both confirmed active exploitation of CVE-2025-0108, with GreyNoise observing malicious traffic patterns indicative of exploitation attempts. The availability of multiple proof-of-concept (PoC) exploits for both vulnerabilities further exacerbates the situation, providing attackers with the tools needed to execute these attacks effectively.
Organizations using Palo Alto Networks' PAN-OS are urged to apply patches immediately to mitigate these vulnerabilities. The presence of these flaws in the KEV catalog underscores their critical nature and the necessity for swift action. Security teams should prioritize patching and monitor their networks for any signs of exploitation, particularly focusing on unusual access patterns to the management web interface.
Given the active exploitation and the involvement of ransomware groups, the urgency for remediation cannot be overstated. Organizations should ensure that their security measures are up-to-date and consider implementing additional monitoring and detection capabilities to identify and respond to potential exploitation attempts swiftly.
CSURFACE