Skip to main content
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Authentication Bypass in Palo Alto Networks PAN-OS Management Web Interface

IdentifiersCVE-2025-0108CWE-306· Missing Authentication for…

CVE-2025-0108 is an authentication bypass vulnerability in the Palo Alto Networks PAN-OS management web interface. According to the provided content, an unauthenticated attacker with network access to the management web interface can bypass the normal authentication checks and invoke certain PHP scripts. Multiple supporting references indicate the issue is related to incorrect request handling or a request-parsing inconsistency between the Nginx and Apache handlers in PAN-OS, with double URL encoding cited as sufficient to trigger the bypass. The vulnerability affects PAN-OS firewall management interfaces; the content states it does not affect Cloud NGFW or Prisma Access software. While the flaw does not itself provide remote code execution, it enables access to functionality that should require authentication and has been observed being chained with other PAN-OS vulnerabilities in real-world attacks.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated remote attacker to bypass authentication on the PAN-OS management web interface and invoke specific PHP scripts. The vendor description states this can negatively affect the integrity and confidentiality of PAN-OS. The supporting content further indicates the flaw has been actively exploited in the wild and chained with other vulnerabilities such as CVE-2025-0111, CVE-2024-9474, and CVE-2025-0110 to read files, perform administrator actions, escalate privileges, and ultimately compromise affected firewalls. On its own, the issue does not provide remote code execution, but it materially lowers the barrier to full device compromise when combined with additional flaws.

Mitigation

If you can’t patch tonight, do this now.

Restrict access to the PAN-OS management web interface to trusted internal IP addresses only and remove internet exposure of the management interface wherever possible. This mitigation is explicitly recommended in the provided content and materially reduces exposure to unauthenticated network-based exploitation. Additional defensive measures mentioned in the content include increasing monitoring and detection for suspicious activity on management interfaces. If compromise is suspected, do not rely on patching alone; perform incident response and threat hunting because prior attacker access may persist or have already resulted in follow-on actions.

Remediation

Patch, then assume compromise.

Apply Palo Alto Networks security updates for affected PAN-OS releases. The provided content references fixed versions including PAN-OS 10.1.14-h9 or later, 10.2.13-h3 or later, 11.1.6-h1 or later, and 11.2.4-h4 or later. PAN-OS 11.0 is identified as end-of-life and should be upgraded to a supported fixed release. Because exploitation in the wild has been reported, patching should be treated as urgent. The content also notes that patching does not remediate any prior compromise, so affected organizations should additionally investigate for signs of historical exploitation.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (7 hidden).

VALID 1 / 8 TOTALView more in app
CVE-2025-0108MaturityPoCVerified exploit

This repository provides a proof-of-concept (PoC) and a fixed implementation for CVE-2025-0108, which is a path confusion and header smuggling vulnerability in a multi-layer web stack (Nginx -> Flask backend -> Apache/PHP). The repository is structured into two main directories: one for the vulnerable setup ('CVE-2025-0108_vulnerable') and one for the fixed setup ('CVE-2025-0108_fixed'). Each setup contains Dockerfiles for the backend (Flask) and PHP services, as well as Nginx configuration files and a docker-compose.yml to orchestrate the environment. The vulnerable implementation demonstrates how a double-encoded path in an HTTP request can bypass authentication checks due to inconsistent path decoding between Nginx and the backend Flask application. The exploit is performed by sending a specially crafted HTTP request (using curl) to the Nginx proxy, which forwards it to the backend and ultimately allows access to a protected PHP endpoint. The fixed implementation adds additional path normalization and checks in the backend to prevent this bypass. The repository is intended for educational purposes and includes detailed instructions and test cases in the README.md. The main exploit capability is authentication bypass via path confusion and header smuggling, and the main fingerprintable endpoint is the crafted HTTP URL targeting the Nginx proxy and backend services.

kso4moreDisclosed Oct 25, 2025pythonphpnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
PaloaltonetworksPan-Osoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

26 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

26 SOURCESView more in app
dark readingNews
Jun 1, 2026
Patch Now: Another Palo Alto Auth Bypass Bug Under Active Exploit

A separate authentication-bypass vulnerability in PAN-OS software that allows an unauthenticated attacker to invoke certain PHP scripts.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

An authentication bypass vulnerability in Palo Alto Networks PAN-OS; added to CISA KEV due to active exploitation.

Read more
bleeping computerNews
Jan 15, 2026
Palo Alto Networks warns of DoS bug letting hackers disable firewalls

One of multiple PAN-OS vulnerabilities reported as being chained in real-world attacks to compromise Palo Alto Networks firewalls.

Read more
project discovery blogNews
Dec 18, 2025
Year in Review: The Vulnerabilities That Defined 2025

An authentication bypass vulnerability in PAN-OS due to request-parsing inconsistencies, allowing unauthenticated access to firewall management interfaces. Exposed hundreds of thousands of firewalls to attack.

Read more
+8 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity14

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-0108
NVD
nvd.nist.gov/vuln/detail/CVE-2025-0108
MITRE CWE · CWE-306
Missing Authentication for Critical Function
Vendor Advisory
security.paloaltonetworks.com/CVE-2025-0108
Third Party Advisory
github.com/iSee857/CVE-2025-0108-PoC
Third Party Advisory
bleepingcomputer.com/news/security/palo-alto-networks-tags-new-firewall-bug-as-exploited-in-attacks
Third Party Advisory
darkreading.com/remote-workforce/patch-now-cisa-researchers-warn-palo-alto-flaw-exploited-wild
Third Party Advisory
securityweek.com/palo-alto-networks-confirms-exploitation-of-firewall-vulnerability
Third Party Advisory
theregister.com/2025/02/19/palo_alto_firewall_attack
Exploit
slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0108