Palo Alto Zero Day Vulnerability CVE-2025-0108 Exploited in the Wild

On February 18, CISA has added the recently published Palo Alto Networks CVE-2025-0108 to the list of known exploited vulnerabilities. To date, according to GreyNoise, there are over 25 known distinct public sources attempting exploitation.

Unmitigated, this vulnerability can lead to significantly weakened network defenses and open doors for data leakages, financial compromises, and ransomware down the road. In this blog we describe the potential impact of this vulnerability and how to mitigate it with Forward Enterprise. 

Exploitation

With low attack complexity and exploited maturity, CVE-2025-0108 should be high on the network teams’ priority list. https://security.paloaltonetworks.com/CVE-2025-0108.  The exploit involves putting together specific HTTP requests that are able to bypass the authentication mechanism and invoke an executable php script without authentication. The management PHP scripts are only intended for managers. If attackers are able to access these programs, they can extract firewall settings for network reconnaissance, open backdoors for access to protected network zones, block important data flow paths, and inflict other damage. 

Mitigation

First, identify all the Palo Alto firewalls in your network. There are multiple ways to do that with Forward Networks, but the easiest is by going to Inventory+(NQE)> OS Support and filtering the vendor field to Palo Alto Networks.

This view also shows the versions of PanOS in your network and if any of the deployed devices have the version of the operating system that is passed maintenance. In our lab example both 7.1.0 and 10.0.9 versions of PanOS are past their end-of-maintenance. Note that both PanOS version 10.0 and 11.0 are affected by this vulnerability, because they have reached End-of-Life July 16 2022 and November 17, 2024 respectively, no patches are available for these devices. Update to 10.1 or 11.1 is required.

According to the vendor, the following OS versions are affected by the issue:

This CVE exploit is particularly critical for the devices where the management interface is exposed to the internet. 

To verify the exposure of the management interfaces you have identified, explore Internet Blast Radius.

By going to the Blast Radius application in Forward Enterprise and selecting Blast Radius from one of the known internet gateways in your network, you are able to review if there is any overlap between the reachable IP addresses and the management IP address of Palo Alto devices you have identified. In our case, management IPs 10.100.0.177 and 10.100.0.105 are not reachable from the internet.  This makes us much less vulnerable to this exploit while we are working on patching the software.

Another way to explore potentially exposed interfaces is to review the list of assets requiring remediation on the Palo Alto customer support portal. Some of the devices that have management IP exposed to the internet might be discoverable by the vendor and listed on that portal. Protecting management IPs from the public access is the single most effective way to prevent successful attacks on your network! If completely isolating the management interface from the internet is not possible, an alternative temporary strategy might be to filter the access via a next generation firewall. Within the Palo Alto family, the threat prevention for this vulnerability is available with Threat signatures 510000 and 510001.

An even easier way to quickly get an initial assessment of any vulnerability is from the Forward Enterprise Vulnerabilities application. By going to the CVE tab of the vulnerability application, you will immediately see how many devices in your network are affected.

Furthermore, looking at the details, you will immediately see the management IPs of the devices, the current version of the operating system,  and whether the devices themselves are reachable from the internet. If the devices are not reachable from the internet, that means neither the management interfaces nor any other device interfaces are exposed. You are safe! If a device is reachable, then you need to conduct additional analysis as described above.

Incidentally, once you install the recommended patches, they also address file access vulnerability CVE-2025-0111 and file deletion vulnerability CVE-2025-0109, both in the PanOS management interface.

Happy patching and stay safe!