- February 19, 2025
- Beazley Security Labs
Authentication Bypass in PAN-OS Management Web Interface (CVE-2025-0108)
On February 12th, Palo Alto Networks released an advisory (CVE-2025-0108) for an authentication bypass vulnerability in Palo Alto Networks PAN-OS software related to the management web interface. The vulnerability could allow for an unauthenticated attacker to run PHP scripts, potentially impacting device integrity.
Executive Summary
On February 12th, Palo Alto Networks released an advisory (CVE-2025-0108) for an authentication bypass vulnerability in Palo Alto Networks PAN-OS software related to the management web interface. The vulnerability could allow for an unauthenticated attacker to run PHP scripts, potentially impacting device integrity. Palo Alto Networks has also confirmed this CVE can be chained with another privileged escalation vulnerability (CVE-2024-9474) if unpatched, which if successfully exploited could result in unauthorized access to the firewall.
Along with their advisory, Palo Alto has released updated versions and Threat Prevention signatures to mitigate this attack. Please see the related patches and mitigations sections below.
Beazley Security recommends organizations immediately apply patches for affected Palo Alto devices and review systems for any signs of compromise.
Affected Systems or Products
This vulnerability was found on PAN-OS management web interfaces, affecting specific versions of the PAN-OS software. Please reference the table below for additional details.
Versions | Affected | Solution |
|---|---|---|
Cloud NGFW | None | N/A |
PAN-OS 11.2 | 11.2.0 through 11.2.4 | 11.2.4-h4 or later |
PAN-OS 11.1 | 11.1.0 through 11.1.6 | 11.1.6-h1 or later |
PAN-OS 11.0 | End of Life | Upgrade to supported, fixed version |
PAN-OS 10.2 | 10.2.0 through 10.2.13 | >= 10.2.13-h3 or later |
PAN-OS 10.1 | 10.1.0 through 10.1.14 | 10.1.14-h9 or later |
Prisma Access | None | N/A |
NOTE: The vulnerability does not affect CLOUD NGFW or Prisma Access at the time of this writing.
Mitigations / Workarounds
Beazley Security strongly recommends upgrading any affected Palo assets to a version of PAN-OS that is not impacted.
Additionally, customers with Palo Alto Threat Prevention can block the attack by enabling Threat ID 510000 and 510001 in their subscription on affected devices.
This vulnerability affects a PAN-OS web management interface that should be restricted to only trusted network access. Beazley Security strongly recommends that organizations take the following steps regardless of whether they apply recently released patches:
Connect management interfaces to a network segment not accessible from the internet.
Ideally, only allow network traffic from a dedicated management network to management interfaces.
Apply any available patches to the device as soon as possible.
Detailed, best practice deployment guidance is provided by Palo Alto on how to secure management interfaces here.
Patches
Palo Alto has released patched versions of PAN-OS to mitigate this vulnerability. Patches can be found by accessing the Customer Support Portal. Recent updates also contain fixes for CVE-2025-0111 and CVE-2025-0109, less severe vulnerabilities that also impact the firewall’s management interface.
Indicators of Compromise
At the time of this writing, there are no publicly available indicators of compromise from Palo Alto. However, published proof-of-concept code and other research indicate that unexpected attempts to access ztp_gate.php may be related to testing for vulnerable systems, as well as URL encoding in the request (%252e%252e):
/unauth/%252e%252e/php/ztp_gate.php/PAN_help/x.css
/unauth/2e%2e/php/ztp_gate.php/PAN_help/x.css
Palo Alto offers advice on how to detect assets that require remediation from this vulnerability in their advisory:
To find any assets that require remediation action, visit the Assets section of the Customer Support Portal at https://support.paloaltonetworks.com (Products → Assets → All Assets → Remediation Required).
Review the list of your devices discovered in (Palo Alto's) scans to have an internet-facing management interface, are tagged with PAN-SA-2024-0015, and include a last seen timestamp (in UTC). If you do not see any such devices listed, then (Palo Alto's) scan did not find any devices on your account to have an internet-facing management interface within the past three days.
Technical Details
Palo Alto has released limited technical details regarding this vulnerability in their advisory. However, Searchlight Cyber posted an in-depth investigation regarding the authentication bypass. They identified a flaw within authentication checks due to a misalignment in handling URLs between Nginx and Apache engines, which serve the front end of the management interface.
The mismatch lets attackers craft a request to normally unauthenticated endpoints that Nginx would not subject to authentication checks. This allows an attacker to fool Nginx to pass on encoded URL content that, when decoded by Apache, will traverse the directory and place requests into sensitive or privileged functions behind the proxy. The end result is an authentication bypass to evoke certain functions or scripts.
The loophole makes it theoretically possible for an attacker to manipulate requests and jump to restricted or administrative interfaces managed by Apache, without credentials.
The vulnerability has also been reported to be observed as chained with other web admin exploits leveraging vulnerabilities (CVE-2024-9474, CVE-2025-0111). These exploits might be used to escalate privilege and perform administrative tasks, per an update to the exploitation status in Palo Alto’s advisory.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Karma product to identify impacted devices and support organizations to remediate any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.