Pan-OS Authentication Bypass - CVE-2025-0108

Incident Report for Rapid Response Status Page

Resolved

Dear Customers,

Following our recent update regarding the PAN-OS vulnerability (CVE-2025-0108), we continued with the threat-focused hunting efforts, looking for suspicious requests.

we have published a visibility query for detecting devices that had Malicious HTTP Request on PAN Devices based on Threat ID's 510000 and 510001 from PAN Threat Prevention alerts.
It is recommended validating that this traffic didn’t target any of your organizational PAN OS devices, and if so that the devices are fully patched.

The query is also available on Axon's GitHub:
-PAN malicious HTTP Request alert:
https://github.com/axon-git/rapid-response/blob/main/cve-2025-0108/pan_threat_logs_visibility.sql

Additionally, Axon reports have also been published for Team Axon customers, including the updated list of deliverables.
Relevant hits that require your attention will be mentioned in the AXON report alongside recommended investigation steps.


We continue to monitor CVE-2025-0108 and will provide further updates as necessary.
If you have any questions or need further assistance, please feel free to reach out.


Sincerely,
Team Axon
Posted Feb 17, 2025 - 11:59 UTC

Investigating

Team AXON is aware of a publication about an Authentication Bypass flaw related to Palo Alto Networks, affecting PAN-OS management web interface.
The flaw, identified as CVE-2025-0108, allows an unauthenticated attacker with network access to the management web interface to bypass authentication to the PAN-OS management web interface and invoke certain PHP scripts.

A Proof-of-Concept exploit related to this vulnerability was published.

While invoking these PHP scripts does not enable remote code execution, it can negatively impact the integrity and confidentiality of PAN-OS.

to mitigate the risk, It is recommended to :
- patch all the relevant PAN-OS devices.
- restrict management interface access to only trusted internal IP addresses.
- Threat Prevention subscription can be used to block attacks for this vulnerability by enabling Threat ID 510000 and 510001 (introduced in Applications and Threats content version 8943)

The team is actively searching for evidence of exploitations of this vulnerability in our customers’ environments.
In case of identification of impacted customers, they will be notified directly.

Please don’t hesitate to contact us for further assistance or any relevant questions.

Sincerely,
Team Axon
Posted Feb 16, 2025 - 14:39 UTC
This incident affected: Rapid Response.