Palo Alto Networks has confirmed that multiple security vulnerabilities in its PAN-OS firewall software are being actively exploited. The attack chain involves three identified flaws, namely CVE-2025-0108, CVE-2024-9474, and CVE-2025-0111. When used together, these vulnerabilities enable unauthorised access to affected systems. The company has classified CVE-2025-0108 as a critical authentication bypass issue and has urged organisations to apply security patches without delay.
PAN-OS is the operating system for Palo Alto Networks’ next-generation firewalls, which are designed to provide network security enforcement and traffic visibility across applications, users, and devices. The system incorporates security technologies such as App-ID, Content-ID, Device-ID, and User-ID to analyse network activity and enforce security measures in real time. The software also features automated machine learning to detect and block threats, but these defences depend on regular updates, leaving unpatched systems vulnerable to exploitation.
Attackers leveraging multiple PAN-OS vulnerabilities
The authentication bypass vulnerability, CVE-2025-0108, was disclosed on 12 February 2025, when Palo Alto Networks released security patches to mitigate the issue. On the same day, cybersecurity researchers at Assetnote showed how CVE-2025-0108 could be combined with CVE-2024-9474 to escalate privileges to root on unpatched PAN-OS firewalls.
By 13 February 2025, GreyNoise had detected initial exploitation attempts from two IP addresses. The number of attack sources has since increased, with 25 IP addresses now identified as actively targeting CVE-2025-0108. The network threat intelligence firm has traced attack activity to IP addresses in the US, Germany, and the Netherlands, though the exact origins of the attackers remain undetermined.
CVE-2024-9474, the privilege escalation flaw involved in the attack chain, enables administrators to execute commands with root privileges on affected devices. Palo Alto Networks previously confirmed that this vulnerability was exploited as a zero-day before a patch was issued in November 2024.
The third flaw, CVE-2025-0111, is a file read vulnerability that allows authenticated users with network access to the firewall’s management web interface to retrieve files accessible to the “nobody” user. Although a patch for this issue was released on 12 February 2025, Palo Alto Networks has since confirmed that it is being exploited in conjunction with the other two vulnerabilities.
Palo Alto Networks has reported that attackers are using CVE-2025-0108 in combination with CVE-2024-9474 and CVE-2025-0111 to target unpatched PAN-OS web management interfaces. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-0108 to its ‘Known Exploited Vulnerabilities’ (KEV) catalogue, requiring federal agencies to apply security updates or remove vulnerable systems from operation by 11 March 2025.
Security analysts have noted that organisations using PAN-OS firewalls should assume unpatched devices are being actively targeted. While PAN-OS incorporates advanced security mechanisms, these protections require frequent updates to remain effective. Palo Alto Networks has reiterated its recommendation that users install security patches immediately to mitigate the risk of unauthorised access and system compromise.
In late 2024, cybersecurity monitoring platform Shadowserver reported that more than 2,000 Palo Alto Networks firewalls had been compromised in attacks exploiting two recently patched zero-day vulnerabilities. The flaws, which targeted the PAN-OS management web interface, were used in chained attacks that allowed threat actors to gain administrator privileges and execute root-level commands on affected devices.
Read more: 2,700 firewalls compromised in Palo Alto Networks exploit onslaught
