CISA Includes Vulnerabilities from Palo Alto Networks and SonicWall in Exploited Flaws List

19.02.2025

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. These flaws, impacting Palo Alto Networks’ PAN-OS and SonicWall’s SonicOS SSLVPN, are being actively exploited. CISA’s move comes after evidence of active exploitation of these vulnerabilities, with attackers targeting specific components in both security platforms.

The first flaw, identified as CVE-2025-0108, involves an authentication bypass in the PAN-OS management interface. With a CVSS score of 7.8, this vulnerability allows unauthenticated attackers with network access to bypass authentication and invoke PHP scripts on the management interface. The second flaw, CVE-2024-53704, affects the SSLVPN authentication system in SonicWall devices. This vulnerability, with a CVSS score of 8.2, enables attackers to bypass authentication remotely.

Palo Alto Networks confirmed that exploitation attempts for CVE-2025-0108 have been detected, particularly when it is chained with other vulnerabilities, such as CVE-2024-9474. This combination could lead to unauthorized access to vulnerable and unsecured firewalls. The company has noted that attackers have been targeting unpatched PAN-OS web management interfaces with these flaws in tow.

According to GreyNoise, a cybersecurity threat intelligence firm, up to 25 malicious IP addresses have been observed actively exploiting CVE-2025-0108. The volume of attack traffic has increased dramatically, particularly from the United States, Germany, and the Netherlands. Meanwhile, Arctic Wolf reported that CVE-2024-53704 is also being weaponized quickly, with a proof-of-concept exploit shared by Bishop Fox.

In response to these active exploits, the CISA has issued a mandate requiring Federal Civilian Executive Branch agencies to address and remediate these vulnerabilities by March 11, 2025, to safeguard their networks.