Palo Alto Networks has disclosed a zero-day vulnerability in its PAN-OS software (CVE-2025-0108), allowing attackers to bypass authentication on the management web interface.
With a CVSS score of 7.8 (HIGH), the flaw has been flagged as a significant security issue for organizations using vulnerable versions of PAN-OS.
Details of the Flaw
The vulnerability stems from a lack of proper authentication enforcement in the PAN-OS management web interface.
Exploiting this issue, unauthenticated attackers with network access could invoke specific PHP scripts without authorization.
While remote code execution (RCE) is not possible through this flaw, attackers could impact the integrity and confidentiality of the PAN-OS device.
However, Palo Alto Networks emphasizes that this vulnerability does not affect the company’s Cloud NGFW or Prisma Access products.
Vulnerability Scope and Impact
The issue is particularly significant for organizations that allow access to the management interface from untrusted networks or the internet.
Attackers leveraging this flaw do not require elevated privileges or user interaction, making exploitation straightforward.
The flaw is classified under CWE-306 (Missing Authentication for Critical Function) and CAPEC-115 (Authentication Bypass), underscoring its critical nature.
Palo Alto Networks has confirmed no known instances of malicious exploitation of this vulnerability.
Affected PAN-OS Versions
| PAN-OS Version | Affected | Fixed |
| PAN-OS 11.2 | < 11.2.4-h4 | >= 11.2.4-h4 |
| PAN-OS 11.1 | < 11.1.6-h1 | >= 11.1.6-h1 |
| PAN-OS 10.2 | < 10.2.13-h3 | >= 10.2.13-h3 |
| PAN-OS 10.1 | < 10.1.14-h9 | >= 10.1.14-h9 |
| PAN-OS 11.0 | End-of-Life (EoL) | No fixes planned |
Palo Alto Networks strongly advises customers to upgrade to the fixed versions listed above to mitigate the vulnerability.
For immediate mitigation, organizations can limit management interface access to trusted internal IP addresses by following Palo Alto’s best practices for securing administrative access.
Palo Alto Networks customers can view potentially exposed assets on the Customer Support Portal under the “Remediation Required” section.
By promptly addressing this issue, organizations can reduce the risk of exploitation and maintain the security of their critical network infrastructure.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
, allowing attackers to bypass authentication.){kind=link}