(TLP: CLEAR) Vulnerabilities in Palo Alto Network Firewalls Actively Exploited in Chained Attacks

Summary: Threat actors are actively exploiting multiple vulnerabilities in Palo Alto Networks (PAN) firewalls, particularly CVE-2025-0108, which CISA added to its Known Exploited Vulnerabilities (KEV) catalog on Tuesday. An authentication bypass in the PAN-OS software enables an unauthenticated attacker with network access to access the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface. This high-severity flaw allows unauthenticated attackers to execute specific PHP scripts, potentially leading to unauthorized access to systems.

Analyst Note: Palo Alto Networks has confirmed that it has observed exploit attempts chaining CVE-2025-0108 with CVE-2024-9474 and CVE-2025-0111, which, in addition to authentication bypass, enables attackers to escalate privileges. WaterISAC urges members to apply the patches and recommended mitigations provided by Palo Alto Networks. Members with internet-facing Palo Alto Networks’ firewalls that haven’t been upgraded immediately after the release of the latest security updates should assume the devices have been compromised and should hunt for evidence of compromise and the presence of planted malware. There are no publicly available indicators of compromise at this time.

Original Source: https://securityadvisories.paloaltonetworks.com/CVE-2025-0108

Additional Reading:

• CISA Adds Two Known Exploited Vulnerabilities to Catalog
• Attackers are chaining flaws to breach Palo Alto Networks firewalls
• Palo Alto Networks warns that CVE-2025-0111 flaw is actively exploited in attacks

Related WaterISAC PIRs: 6, 8, 12