Palo Alto Networks Fixes Authentication Bypass Vulnerability in PAN-OS Software

13.02.2025

Palo Alto Networks has resolved a critical security vulnerability in its PAN-OS software that could allow attackers to bypass authentication. Tracked as CVE-2025-0108, the flaw carries a CVSS score of 7.8, though this rating drops to 5.1 if access to the management interface is restricted to a jump box. The issue enables unauthenticated attackers with network access to the management web interface to bypass authentication and invoke specific PHP scripts, potentially compromising the integrity and confidentiality of PAN-OS, though it does not allow remote code execution.

The vulnerability affects multiple PAN-OS versions, including 11.2, 11.1, 10.2, and 10.1, with fixes available in updated versions. Security researcher Adam Kues, credited with discovering the flaw, identified it as a directory traversal attack stemming from inconsistencies in how the interface’s Nginx and Apache components process incoming requests. This discrepancy allows unauthorized access to certain system functionalities that should otherwise require authentication.

In addition to CVE-2025-0108, Palo Alto Networks has addressed two other vulnerabilities: CVE-2025-0109, a file deletion vulnerability that enables attackers to remove specific logs and configuration files, and CVE-2025-0110, a command injection flaw in the OpenConfig plugin that allows authenticated administrators to execute arbitrary commands. These issues have been resolved in the latest PAN-OS updates and the OpenConfig Plugin version 2.1.2.

To reduce risk, Palo Alto Networks strongly recommends disabling access to the management interface from the internet or any untrusted network. Additionally, customers who do not use OpenConfig should consider disabling or uninstalling the plugin to eliminate potential attack vectors. By applying the latest updates and implementing security best practices, organizations can protect their systems from exploitation.