This vulnerability is being actively exploited in the wild.
A vulnerability allowing authentication bypass has been identified in the management web interface of Palo Alto Networks PAN-OS. This flaw enables an unauthenticated attacker with network access to the management interface to bypass authentication and invoke certain PHP scripts. While this does not lead to remote code execution, it can adversely affect the integrity and confidentiality of the PAN-OS system. The vulnerability arises from a misconfiguration in the Nginx reverse proxy, which improperly handles authentication headers, allowing unauthorized access to PHP scripts that could be exploited to manipulate system data or settings.
Exploitation of this vulnerability allows for full authentication bypass in the PAN-OS management interface, enabling unauthorized access to the system. This flaw has been observed to be actively exploited in the wild, particularly when chained with other vulnerabilities, to gain root access on affected devices.
The vulnerability can be reproduced by sending a request to the management web interface that includes double URL-encoded path traversal sequences. The Nginx server will decode the request, bypass authentication, and then Apache will reprocess the request, stripping the traversal encoding and allowing access to the PHP scripts without authentication. This can be automated with a Python script available in the GitHub repository 'iSee857/CVE-2025-0108-PoC'.
Users are advised to upgrade to PAN-OS versions 10.1.14-h9, 10.2.13-h3, 11.1.6-h1, or 11.2.5. For versions 11.0 and older unsupported versions, upgrade to a supported fixed version. Additionally, restrict management interface access to trusted internal IP addresses.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.
