www.belgium.be Logo of the federal government

WARNING: AUTHENTICATION BYPASS VULNERABILITY IN PAN-OS SOFTWARE, PATCH IMMEDIATELY!

Referentie: 
Advisory #2025-36
Versie: 
3.0
Geïmpacteerde software: 
Palo Alto Networks PAN-OS software:
PAN-OS 11.2: <11.2.4-h4
PAN-OS 11.1: < 11.1.6-h1
PAN-OS 10.2: < 10.2.13-h3
PAN-OS 10.1: < 10.1.14-h9
Type: 
Missing Authentication for Critical Function (CWE-306), authentication bypass, file read, and privilege escalation
CVE/CVSS: 

CVE-2025-0108: CVSS-B: 8.8 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber)

Update 2025-02-20:

CVE-2025-0111: CVSS-B: 7.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Red)

CVE-2024-9474: CVSS-B: 6.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:H/U:Red) previously reported in advisory #2024-269

Update 2025-02-21:

CVE-2025-0110: CVSS-B: 8.6 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber)

 

Bronnen

Official Vendor: https://security.paloaltonetworks.com/CVE-2025-0108

Update 2025-02-20

Risico’s

CVE-2025-0108 Authentication Bypass CVSS-B 8.8

Due to a missing authentication for a critical function in the PAN-OS software, CWE-306, an unauthenticated attacker with access to the management web interface can bypass the required authentication. Palo Alto did not release technical details about this vulnerability.

Update 2025-02-20

CVE-2025-0111, CVSS-B 7.1

An authenticated attacker with access to the management web interface can read files on the PAN-OS filesystem that are readable by the “nobody” user.

CVE-2024-9474, CVSS-B 6.9

Previously reported vulnerability (see Advisory #2024-269), allows privilege escalation to the PAN-OS management interface, allowing an attacker to execute actions on the firewall with root privileges.

To exploit these vulnerabilities, an attacker needs access to the PAN-OS device's management interface, which should never be internet-facing, to reduce the attack vector.

Update 2025-02-21

CVE-2025-0110 CVSS-B 8.6

A vulnerability in PAN-OS OpenConfig allows an authenticated user to run arbitrary bash commands on the underlying OS via gnmi.Subscribe. The commands are run as device administrator.

Beschrijving

CVE-2025-0108 Authentication Bypass CVSS-B 8.8

Due to a missing authentication for a critical function in the PAN-OS software, CWE-306, an unauthenticated attacker with access to the management web interface can bypass the required authentication. Palo Alto did not release technical details about this vulnerability.

Update 2025-02-20

CVE-2025-0111, CVSS-B 7.1

An authenticated attacker with access to the management web interface can read files on the PAN-OS filesystem that are readable by the “nobody” user.

CVE-2024-9474, CVSS-B 6.9

Previously reported vulnerability (see Advisory #2024-269), allows privilege escalation to the PAN-OS management interface, allowing an attacker to execute actions on the firewall with root privileges.

To exploit these vulnerabilities, an attacker needs access to the PAN-OS device's management interface, which should never be internet-facing, to reduce the attack vector.

Aanbevolen acties

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

  • PAN-OS 10.1: Upgrade to 10.1.14-h9 or later
  • PAN-OS 10.2: Upgrade to 10.2.13-h3 or later
  • PAN-OS 11.0 (End-of-Life): Upgrade to a supported fixed version
  • PAN-OS 11.1: Upgrade to 11.1.6-h1 or later
  • PAN-OS 11.2: Upgrade to 11.2.4-h4 or later

Limit Exposure

The CCB recommends removing access from the internet to the PAN-OS management interface to significantly reduce the chances of exploitation for the mentioned vulnerabilities and any future ones.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Referenties

Greynoise - https://www.greynoise.io/blog/greynoise-observes-active-exploitation-of-pan-os-authentication-bypass-vulnerability-cve-2025-0108

NIST NVD:

Cybersecuritynews - https://cybersecuritynews.com/google-released-poc-exploit-for-palo-alto-firewall/