Exploitation attempts targeting CVE-2025-0108, a recently disclosed authentication bypass vulnerability affecting the management web interface of Palo Alto Networks’ firewalls, are ramping up.
“GreyNoise now sees 25 malicious IPs actively exploiting CVE-2025-0108, up from 2 on February 13,” the threat intelligence company shared on Tuesday. “This high-severity flaw allows unauthenticated attackers to execute specific PHP scripts, potentially leading to unauthorized access to vulnerable systems.”
CVE-2025-0108 + CVE-2024-9474 and/or CVE-2025-0111
Palo Alto Networks has updated the security advisory to confirm that it has observed exploit attempts chaining CVE-2025-0108 with:
- CVE-2024-9474, an older OS command injection flaw that allows attackers to escalate their privileges and perform actions on the PAN firewall with root privileges, and
- CVE-2025-0111, an authenticated file read vulnerability that allows attackers to read files on the PAN-OS filesystem that are readable by the “nobody” user.
CVE-2024-9474 has been actively exploited by attackers since November 2025.
The attackers leveraged CVE-2024-9474 and CVE-2024-0012, an auth bypass flaw, to exfiltrate sensitive files and information from vulnerable firewalls, deploy a command and control implant, an obfuscated PHP webshell, and the XMRig cryptocoin miner.
The existence of CVE-2025-0108 and CVE-2025-0111 was publicly disclosed by Palo Alto Networks via security advisories last week, following the release of PAN-OS versions that fixed these and other flaws.
Both security issues were flagged by external researchers. CVE-2025-0108 was reported by Assetnote researchers, who released technical details and a PoC exploit for it on the same day the advisory went out. Exploitation attempts started the next day.
What to do?
Organizations with internet-facing Palo Alto Networks’ firewalls that haven’t been upgraded immediately after the release of the latest security updates should assume the devices have been compromised. They should look for the presence of planted malware and for evidence of exploitation attempts coming from unexpected IPs. (Unfortunately, there are no publicly available indicators of compromise yet.)
According to GreyNoise, the top 3 source countries of attack traffic are the United States, Germany, and the Netherlands.
Both compromised and not compromised devices should be updated to one of the supported fixed versions. Organizations should also seriously consider securing access to their PAN devices’ management interface.
“Specifically, you should restrict management interface access to only trusted internal IP addresses,” Palo Alto Networks says.
“You can greatly reduce the risk of exploitation by restricting access to a jump box that is the only system allowed to access the management interface. This will ensure that attacks can succeed only if they obtain privileged access through those specified IP addresses.”
