Article Details

Palo Alto firewalls under attack as miscreants chain flaws for root access. If you want to avoid urgent patches, stop exposing management consoles to the public internet. A flaw patched last week by Palo Alto Networks is now under active attack and, when chained with two older vulnerabilities, allows attackers to gain root access to affected systems. This story starts with CVE-2024-9474, a 6.9-rated privilege escalation vulnerability in Palo Alto Networks PAN-OS software that allowed an OS administrator with access to the management web interface to perform actions on the firewall with root privileges. The company patched it in November 2024. Dark web intelligence services vendor Searchlight Cyber’s Assetnote team investigated the patch for CVE-2024-9474 and found another authentication bypass. Palo Alto (PAN) last week fixed that problem, CVE-2025-0108, and rated it a highest urgency patch as the 8.8/10 flaw addressed an access control issue in PAN-OS's web management interface that allowed an unauthenticated attacker with network access to the management web interface to bypass authentication “and invoke certain PHP scripts.” Those scripts could “negatively impact integrity and confidentiality of PAN-OS.” The third flaw is CVE-2025-0111 a 7.1-rated mess also patched last week to stop authenticated attackers with network access to PAN-OS machines using their web interface to read files accessible to the “nobody” user. On Tuesday, US time, Palo A lot updated its advisory for CVE-2025-0108 with news that it’s observed exploit attempts chaining CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces. The vendor’s not explained how the three flaws are chained but we understand doing so allows an attacker to gain more powerful privileges and gain full root access to the firewall. Maybe some more info will arrive soon: As The Register edited and fact-checked this story, the text of CVE-2025-0108 advisory changed to add mention of CVE-2025-0111! PAN notes its Cloud NGFW and Prisma Access services are unaffected. But users are urged to upgrade their PAN-OS operating systems - versions 10.1, 10.2, 11.0, 11.1, and 11.2 - to the latest patches immediately, since Palo Alto reports an "increasing number of attacks" exploiting these vulnerabilities. "Palo Alto Networks has confirmed reports of active exploitation targeting a CVSS 6.9 vulnerability (CVE-2025-0108) in the PAN-OS web management interface. This vulnerability, chained with other vulnerabilities like CVE-2024-9474, could allow unauthorized access to unpatched and unsecured firewalls," the biz confirmed to The Register. "We are urging all customers with internet-facing PAN-OS management interfaces to immediately apply the security updates released on February 12, 2025. Securing external-facing management interfaces is a fundamental security best practice, and we strongly encourage all organizations to review their configurations to minimize risk." However, keeping the management console away from public access isn't a foolproof solution. Palo Alto warns that even if you've limited access to the console to a restricted set of internal IP addresses, unpatched systems remain vulnerable, although the risk was "greatly reduced." Exposing management consoles to the internet is a known risk. Security vendors strongly advise against it unless absolutely necessary, though it remains a "challenge" for some, as one vendor politely told us. Some admins expose the consoles to the public internet as it eases remote management chores, and hope security through obscurity protects them PAN declined to specify how many customers are affected, but historically, most users keep their management interfaces private. Still, even those with restricted access must patch to stay secure. It's going to be a busy week for PAN administrators, since a general hotfix is expected by Thursday or sooner. Some customers have already received a limited-release patch, 11.1.4-h12, to address firewall reboots triggered by specific network traffic. PAN is now validating an additional fix before a wider rollout.