Attempts to exploit an authentication bypass vulnerability affecting Palo Alto Networks firewalls started just one day after the flaw was publicly disclosed, according to threat intelligence firm GreyNoise.
Palo Alto Networks announced patches and mitigations for the vulnerability on February 12. The PAN-OS flaw, tracked as CVE-2025-0108, allows an unauthenticated attacker to gain access to the firewall’s management interface and execute certain PHP scripts.
GreyNoise informed SecurityWeek on February 13 that it had started seeing exploitation attempts targeting CVE-2025-0108. The threat intelligence company has seen exploitation attempts coming from five unique IPs as of the morning of February 14.
The exploitation attempts have been flagged by GreyNoise as ‘malicious’, which indicates that they are likely conducted by threat actors rather than security researchers trying to determine the prevalence of vulnerable systems.
Assetnote, whose researchers discovered the issue, disclosed technical details of the vulnerability immediately after Palo Alto announced the patches and mitigations, which may have made it easier for threat actors to add CVE-2025-0108 to their arsenal.
On the other hand, Assetnote did point out that CVE-2025-0108 needs to be chained with a separate vulnerability for remote code execution.
One candidate is the actively exploited CVE-2024-9474. Threat actors may have found a new vulnerability similar to CVE-2024-9474 or they are targeting systems that have not been updated by owners for several months (CVE-2024-9474 was patched in November 2024).
In addition, Assetnote said CVE-2025-0108 is distinct but related to CVE-2024-0012, an authentication bypass known to have been exploited in the wild alongside CVE-2024-9474. It’s possible that threat actors simply adapted their exploit for CVE-2024-0012 to target CVE-2024-0108 and did not need the information published by the security firm.
SecurityWeek has reached out to Assetnote for clarifications on why it made public technical details so soon after disclosure. We have also reached out to Palo Alto Networks for confirmation that CVE-2024-0108 is being exploited in attacks. This article will be updated if they respond.
Palo Alto Networks’ advisory for CVE-2024-0108 still indicates that the company is not aware of in-the-wild exploitation, and while the vulnerability is considered ‘high severity’, the urgency rating assigned to it by the vendor is ‘moderate’.
UPDATE, Feb. 17: Assetnote has shared the following clarifications with SecurityWeek:
This was a coordinated disclosure with Palo Alto where their security team confirmed multiple times we would be announcing together on February 12th. It’s important to note that attackers are able to reverse engineer vendor security patches (fairly easily), which often is their path to exploitation. Point being, as with every security patch release, attackers will find opportunities to exploit regardless of our post.
Our research post is in efforts to help defenders understand how the vulnerability works so they can find any intrusion attempts and, therefore, for the security community to see if there has been exploitation in the wild. Otherwise, we would all be operating in the dark.
UPDATE, Feb. 18: Palo Alto Networks has confirmed exploitation based on a publicly available PoC.
Related: Palo Alto Networks Patches High-Severity Vulnerability in Retired Migration Tool
Related: Palo Alto Networks Addresses Impact of BIOS, Bootloader Vulnerabilities on Its Firewalls
Related: Palo Alto Networks Patches Firewall Zero-Day Exploited for DoS Attacks
