Palo Alto Networks, Authentication Bypass, CVE-2025-0108 (Critical)

Listen to this Post

CVE-2025-0108 is an authentication bypass vulnerability in the PAN-OS management web interface. It affects PAN-OS versions 10.2, 11.1, 11.2, and 12.1. The flaw resides in improper normalization of URI paths by the embedded web server. An unauthenticated attacker can send a specially crafted HTTP request to the management interface. The request contains encoded path traversal characters, such as `%2e%2e%2f` or semicolons. Due to inconsistent parsing between the front-end (nginx) and back-end (PHP) components, the authentication middleware is skipped. For example, a request to `/unauth/%2e%2e%2e%2fprotected/` may be interpreted as `/protected/` after normalization. The middleware checks only the raw URI, while the back-end processes the normalized path. This discrepancy allows access to administrative endpoints without valid credentials. Attackers can then execute arbitrary commands, change configurations, or extract sensitive data. The vulnerability is reachable only if the management interface is exposed to the network. Default configurations do not expose it to the internet, but many administrators enable it. Proof-of-concept exploits use crafted `Host` headers or path confusion. The CVE was disclosed on February 12, 2025, with a CVSS score of 7.5 (High). Palo Alto Networks released patches in the same month. The root cause is a lack of canonicalization before authorization checks. Remediation involves updating to fixed versions or restricting management access.
Platform: Palo Alto PAN-OS
Version: 10.2-12.1 affected
Vulnerability: Authentication Bypass
Severity: Critical
date: Feb 12 2025

Prediction: Already patched (Feb2025)

What Undercode Say:

Check PAN-OS version via CLI
show system info | grep version
Test for CVE-2025-0108 (unauthenticated access attempt)
curl -k -X GET "https://<target>/unauth/../../api/xxxx" --path-as-is
Nmap script detection (hypothetical)
nmap -p 443 --script http-vuln-cve2025-0108 <target>
Mitigation: Restrict management access using ACL
set deviceconfig system ipv6-management-allow-ips <trusted_subnet>

Exploit:

Craft a GET request with double-encoded path traversal: /manage/%2e%2e/%2e%2e/%2e%2e//index.php. Send to port 443 of the management interface. If the response returns a 200 OK with administrative content, the bypass succeeds. Attackers can then issue commands via `/api/` endpoints without authentication.

Protection from this CVE:

  1. Upgrade PAN-OS to fixed versions: 10.2.13-h16, 11.1.10-h21, 11.2.7-h12, 12.1.6-h1 or later.

2. Disable management interface access from untrusted networks.

  1. Use interface management profiles to allow only specific IPs.
  2. Apply virtual patch via threat prevention signatures (Palo Alto ID 92847).

Impact:

Complete compromise of the firewall’s management plane. Attackers can read configuration (including passwords), modify security policies, disable logging, and pivot to internal networks. Unauthenticated remote code execution leads to persistent backdoor installation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top