Palo Alto Networks has issued a warning regarding active attacks on its firewalls, exploiting a recently patched flaw in conjunction with two older vulnerabilities to gain root access. The critical vulnerabilities involve the PAN-OS software, which is integral to the operation of these firewalls.
The latest vulnerability, identified as CVE-2025-0108, received a severity rating of 8.8/10 and addresses an authentication bypass issue in the web management interface of PAN-OS. This flaw allows unauthenticated attackers to bypass security measures and execute PHP scripts that can compromise the integrity and confidentiality of the system.
Another significant flaw, CVE-2024-9474, rated at 6.9, allows OS administrators to perform actions on the firewall with elevated privileges. This vulnerability was patched in November 2024. The third vulnerability, CVE-2025-0111, rated at 7.1, enables authenticated attackers to read files accessible to the ’nobody‘ user on PAN-OS machines.
Palo Alto Networks has observed attempts to exploit these vulnerabilities in tandem, emphasizing the necessity for users to upgrade their PAN-OS versions—specifically 10.1, 10.2, 11.0, 11.1, and 11.2—to the latest patches. The company has noted an increase in attacks leveraging these vulnerabilities, urging customers with internet-facing management interfaces to apply the security updates released on February 12, 2025.
While restricting access to the management console can reduce risk, unpatched systems remain vulnerable. Security experts continue to advise against exposing management consoles to the public internet unless absolutely necessary. Palo Alto Networks has confirmed that its Cloud NGFW and Prisma Access services are not affected by these vulnerabilities.
As the situation evolves, Palo Alto Networks is expected to release a general hotfix soon, with some customers already receiving a limited-release patch to address firewall reboots triggered by specific network traffic.
For more details, visit the full article at The Register.