Palo Alto firewalls under attack as miscreants chain flaws for root access

A flaw patched last week by Palo Alto Networks is now under active attack and, when chained with two older vulnerabilities, allows attackers to gain root access to affected systems.

This story starts with CVE-2024-9474, a 6.9-rated privilege escalation vulnerability in Palo Alto Networks PAN-OS software that allowed someone with administrator account access to the management web interface to perform actions on the firewall operating system with root privileges. The company patched it in November 2024.

Dark web intelligence services vendor Searchlight Cyber’s Assetnote team investigated the patch for CVE-2024-9474, and found a separate authentication bypass.

Palo Alto (PAN) last week fixed that problem, CVE-2025-0108, and rated it a highest urgency patch as the 8.8-out-of-10 flaw addressed an access control issue in PAN-OS's web management interface that allowed an unauthenticated attacker with network access to the management web interface to bypass authentication “and invoke certain PHP scripts.” Those scripts could “negatively impact integrity and confidentiality of PAN-OS.”

The third flaw is CVE-2025-0111, a 7.1-rated mess also patched last week, this one to stop authenticated attackers with network access to PAN-OS machines using their web interface to read files accessible to the “nobody” user.

On Tuesday, US time, Palo Alto updated its advisory for CVE-2025-0108 with news that it’s observed exploit attempts chaining that authentication bypass flaw with the CVE-2024-9474 privilege escalation hole on unpatched public-facing PAN-OS web management interfaces, presumably to gain full root-level control over equipmemnt Further details were not released.

PAN says its Cloud NGFW and Prisma Access services are unaffected. But users are urged to upgrade their PAN-OS operating systems - versions 10.1, 10.2, 11.0, 11.1, and 11.2 - to the latest patches immediately, since Palo Alto reports an "increasing number of attacks" exploiting these vulnerabilities.

"Palo Alto Networks has confirmed reports of active exploitation targeting a CVSS 6.9 vulnerability (CVE-2025-0108) in the PAN-OS web management interface. This vulnerability, chained with other vulnerabilities like CVE-2024-9474, could allow unauthorized access to unpatched and unsecured firewalls," the biz confirmed to The Register.

As The Register edited and fact-checked this story, the text of CVE-2025-0108 advisory changed to add mention of CVE-2025-0111, in that all three could be and have been chained to exploit customers' devices: "Palo Alto Networks has observed exploit attempts chaining CVE-2025-0108 with CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces."

"We are urging all customers with internet-facing PAN-OS management interfaces to immediately apply the security updates released on February 12, 2025," a spokesperson for PAN told us. "Securing external-facing management interfaces is a fundamental security best practice, and we strongly encourage all organizations to review their configurations to minimize risk."

However, keeping the management console away from public access isn't a foolproof solution. Palo Alto warns that even if you've limited access to the console to a restricted set of internal IP addresses, unpatched systems remain vulnerable, although the risk was "greatly reduced."

• Mysterious Palo Alto firewall reboots? You're not alone
• Mystery Palo Alto Networks hijack-my-firewall zero-day now officially under exploit
• 1,000s of Palo Alto Networks firewalls hijacked as miscreants exploit critical hole
• Palo Alto Networks tackles firewall-busting zero-days with critical patches

Exposing management consoles to the internet is a known risk. Security vendors strongly advise against it unless absolutely necessary, though it remains a "challenge" for some, as one vendor politely told us. Some admins expose the consoles to the public internet as it eases remote management chores, and hope security through obscurity protects them

PAN declined to specify how many customers are affected, but historically, most users keep their management interfaces private. Still, even those with restricted access must patch to stay secure.

It's going to be a busy week for PAN administrators, since a general hotfix is expected by Thursday or sooner. Some customers have already received a limited-release patch, 11.1.4-h12, to address firewall reboots triggered by specific network traffic. PAN is now validating an additional fix before a wider rollout. ®