Palo Alto Networks reports that hackers are actively exploiting a recently patched firewall vulnerability known as CVE-2025-0108.
When Palo Alto Networks announced updates and mitigations on Feb. 12, the company also reported the existence of CVE-2025-0108. The authentication bypass flaw in PAN-OS allows an unauthenticated attacker to gain access to the target device’s administrator interface. From there, a hacker can then execute certain PHP scripts. On the same day, Assetnote, the security company that discovered the vulnerability, made technical details public.
Threat intelligence company GreyNoise detected the first exploitation attempts of CVE-2025-0108 on Feb. 13. It is unclear exactly what the attackers are trying to do, but the company classified the activity as malicious. This indicates that threat actors are trying to exploit the vulnerability.
Palo Alto Networks notified SecurityWeek Monday night (Feb. 17) that customer security is its top priority. The company then confirmed reports of active exploitation. By Tuesday, Feb. 18, GreyNoise had observed attack attempts from nearly 30 unique IP addresses.
Combination with other vulnerabilities
In its disclosure, Assetnote pointed out that CVE-2025-0108 can be combined with another vulnerability, such as the actively exploited CVE-2024-9474, for external code execution. CVE-2024-9474 was patched in November 2024 and has been exploited along with CVE-2024-0012, another authentication bypass vulnerability similar to CVE-2025-0108.
Palo Alto Networks, in an e-mail statement, urges all customers with Internet-facing PAN-OS administrator interfaces to immediately apply the Feb. 12, 2025, security updates. The company states that securing remote administrator interfaces is a fundamental security practice. It strongly recommends that all organizations review configurations to minimize risk.
The Shadowserver Foundation has also observed attempts to exploit CVE-2025-0108 with an unspecified, publicly available PoC. The nonprofit cybersecurity organization warned that about 3,500 PAN-OS administrator interfaces were exposed on Feb. 14.
Danger of reverse-engineering
When asked whether the disclosure of technical details made it easier for attackers to exploit CVE-2025-0108, Assetnote responded that the public disclosure was coordinated with Palo Alto Networks’ security team. The company also noted that attackers can usually reverse engineer patches fairly easily.
Their research would be intended to help defenders understand how the vulnerability works, so they can detect any intrusion attempts and the cybersecurity community can verify if exploitation has occurred in the wild.