Palo Alto Networks has issued a warning about a newly discovered zero-day vulnerability in its PAN-OS operating system, identified as CVE-2025-0108. This flaw potentially allows threat actors to bypass login authentication, and reports indicate that it is already being exploited in the wild.
Administrators are advised to ensure their devices are fully patched and to restrict access to the management interfaces of their firewalls, ideally blocking open internet access. According to Palo Alto Networks, this will significantly lower the risk of exploitation. They recommend allowing management access only from trusted internal IPs, which is detailed in their best practices for deployment.
To identify at-risk devices, administrators can navigate to the Assets section in the Palo Alto Networks Customer Support Portal and look for those tagged with ‘PAN-SA-2024-0015’. Devices can be exposed through management interfaces, particularly if they are set up with GlobalProtect portals or gateways that are configured improperly.
The vulnerability stems from an architectural flaw between the Nginx and Apache components of PAN-OS. Essentially, Nginx initially processes web requests and passes them to Apache, which can treat the requests differently, creating the conditions for an authentication bypass. Assetnote, the firm that discovered the vulnerability, emphasized that such architectural issues are common and can lead to significant security risks.
Palo Alto Networks has confirmed that the vulnerability does not affect its Cloud NGFW or Prisma Access products. Prompt action is crucial as exploitation began shortly after the vulnerability was disclosed, highlighting the importance of immediate security measures.
