On February 12, 2025, Palo Alto Networks published an advisory for CVE-2025-0108, an authentication bypass vulnerability in the management web interface of PAN-OS. The vulnerability received a CVSS score of 7.8 in the default configuration (management interface accessible on a restricted network) and 8.8 when the management interface was exposed to the internet.
Assetnote discovered the vulnerability during research into a previous PAN-OS flaw (CVE-2024-0012) and published a detailed technical analysis alongside proof-of-concept code. Exploitation in the wild was observed by GreyNoise within days of the publication.
Technical Root Cause
The vulnerability was a path traversal issue arising from an inconsistency in how two components of the PAN-OS management interface processed URL paths.
PAN-OS uses Nginx as a reverse proxy in front of an Apache server that hosts the management web application. The two servers handled URL-encoded path separators differently:
- Nginx received the request and performed access control checks based on the URL path.
- Certain URL path constructions, using directory traversal sequences and double-encoding, would pass Nginx's access control checks as an unauthenticated path.
- When Nginx forwarded the request to Apache, Apache decoded the path differently, routing the request to an authenticated API endpoint.
The result was that an unauthenticated attacker could access PHP scripts and REST API endpoints that were intended to require authentication. While this did not directly provide remote code execution, the accessible endpoints could be used to extract sensitive configuration data, including firewall rules, and potentially be chained with other vulnerabilities for more damaging impact.
Assetnote's research showed this was closely related to CVE-2024-9474, a privilege escalation vulnerability patched in November 2024. The two vulnerabilities could be chained: CVE-2025-0108 for unauthenticated access to the management API, and CVE-2024-9474 (if unpatched) for escalation to root-level command execution.
Affected Versions
| PAN-OS Branch | Affected Versions | Fixed Versions | |---------------|-------------------|----------------| | 11.2 | < 11.2.4-h4 | 11.2.4-h4+ | | 11.1 | < 11.1.6-h1 | 11.1.6-h1+ | | 10.2 | < 10.2.13-h3 | 10.2.13-h3+ | | 10.1 | < 10.1.14-h9 | 10.1.14-h9+ |
PAN-OS 11.0 had reached end-of-life and did not receive a fix.
Exploitation Timeline
The speed at which exploitation began was notable:
- February 12: Palo Alto Networks published the advisory. Assetnote published their technical writeup and PoC.
- February 13: GreyNoise began observing exploitation attempts from multiple source IPs targeting exposed PAN-OS management interfaces.
- February 14-18: Exploitation volume increased significantly, with automated scanning tools incorporating the vulnerability.
This timeline -- from advisory to widespread exploitation in under 48 hours -- has become the norm for high-profile network appliance vulnerabilities. Attackers monitor vendor advisories and security research blogs, and they move fast.
The Nginx-Apache Inconsistency Pattern
The architectural pattern that caused CVE-2025-0108 is not unique to Palo Alto. Many network appliances and web applications use a reverse proxy (typically Nginx or HAProxy) in front of an application server (Apache, Tomcat, Node.js, etc.). When these two layers interpret URLs differently, security controls enforced at the proxy layer can be bypassed.
This class of vulnerability has been given various names: path confusion, request smuggling, URL normalization bypass. The core issue is always the same: two components disagree on what URL they are processing, and the security decision is made by the component that gets it wrong.
Previous examples include:
- CVE-2021-41773 / CVE-2021-42013 in Apache HTTP Server, where path traversal bypassed access controls.
- Spring Framework's CVE-2022-22965 (Spring4Shell), where parameter binding differences between layers enabled RCE.
- Numerous Tomcat path traversal issues involving semicolons, double-encoding, and trailing slashes.
For appliance vendors, the lesson is clear: security-critical URL parsing must be consistent across all layers of the request processing pipeline. Ideally, authentication and authorization checks should happen at the application layer, not solely at the reverse proxy.
Impact Assessment
While CVE-2025-0108 alone provided "only" unauthenticated access to the management API (not direct RCE), the practical impact was significant:
- Configuration extraction: Attackers could read firewall configurations, including network topology information, NAT rules, and security policies.
- Chaining potential: Combined with CVE-2024-9474 (patched November 2024, but not universally applied), the chain yielded unauthenticated RCE.
- Reconnaissance value: Even without RCE, the information gained from a firewall's configuration is invaluable for planning further attacks against the network it protects.
Organizations that had applied the November 2024 patches for CVE-2024-9474 were partially protected -- they were vulnerable to information disclosure but not to the full chain. Organizations that had missed both patches faced the worst-case scenario.
Defensive Recommendations
- Patch PAN-OS to the fixed versions listed above.
- Never expose the management interface to the internet. Use dedicated management networks or VPN-only access.
- If you cannot patch immediately, apply Palo Alto's recommended Threat Prevention signatures (IDs 510000, 510001) which can detect and block exploitation attempts.
- Review management access logs for requests to
/unauth/paths or other anomalous URL patterns. - Verify that CVE-2024-9474 patches were also applied. The chained exploitation scenario makes the older vulnerability relevant again.
How Safeguard.sh Helps
Safeguard.sh monitors your infrastructure inventory for known vulnerabilities and provides actionable intelligence when new CVEs are disclosed. For network infrastructure like Palo Alto firewalls, Safeguard tracks deployed firmware versions and immediately correlates them against new advisories.
With Safeguard's vulnerability prioritization, CVE-2025-0108 would be flagged with high urgency based on its active exploitation status, the availability of public exploit code, and its potential for chaining with other vulnerabilities. This helps security teams focus their patching efforts where the risk is highest, rather than working through CVEs in arbitrary order.
Safeguard also provides historical tracking, so you can verify not just that the current patch is applied, but that previous critical patches (like the November 2024 fix for CVE-2024-9474) were also deployed -- preventing the chaining scenarios that make individual vulnerabilities far more dangerous than they appear in isolation.