Palo Alto Networks has confirmed ongoing exploitation of the recently patched critical vulnerability CVE-2025-0108. In conjunction with two previously identified flaws, threat actors can successfully bypass authentication and gain full root access to vulnerable systems.
The sequence of events began with CVE-2024-9474 (CVSS score: 6.9), a privilege escalation vulnerability in PAN-OS that allowed administrators with access to the web management interface to execute commands with root privileges. Although Palo Alto Networks released a patch in November 2024, security researchers from Searchlight Cyber’s Assetnote uncovered a new authentication bypass issue while analyzing the fix.
The newly discovered vulnerability, CVE-2025-0108 (CVSS score: 8.8), was patched in early February 2025. This exploit enables attackers with network access to the management interface to circumvent authentication and execute specific PHP scripts, compromising system integrity and confidentiality.
Adding to the threat landscape is CVE-2025-0111 (CVSS score: 7.1), which was patched on the same day. This flaw allows an authenticated attacker with network access to read files accessible to the “nobody” user. While individually rated lower in severity, when chained with other exploits, this vulnerability poses a significant security risk.
On February 18, Palo Alto Networks updated its security advisory, confirming documented attacks leveraging a combination of CVE-2024-9474 and CVE-2025-0111. This active exploitation indicates that attackers are already using these vulnerabilities to gain full control over affected devices.
The company strongly urges administrators to immediately update PAN-OS versions 10.1, 10.2, 11.0, 11.1, and 11.2 to the latest patched releases.
While Cloud NGFW and Prisma Access services remain unaffected, users relying on traditional Palo Alto Networks solutions face an increasing risk of targeted attacks. The company has confirmed that these attacks are ongoing and escalating.
Notably, Palo Alto Networks cautions that restricting web interface access to internal IP addresses alone does not guarantee complete security. While such measures reduce the risk of compromise, vulnerable systems remain exposed. Many administrators deliberately leave management interfaces accessible from the internet to facilitate remote administration, but in the current threat landscape, this practice significantly heightens security risks.
Palo Alto Networks has not disclosed the exact number of affected users but notes that most customers have already restricted access to management interfaces. Nonetheless, patching remains an essential safeguard.
The company has announced an imminent emergency update, with some users already receiving a preliminary fix in version 11.1.4-h12, which addresses firewall reboot issues caused by specific network traffic conditions. Final testing is currently underway before wider deployment of the patch.
