Palo Alto Networks is warning customers that a second PAN-OS vulnerability patched in February is being exploited in the wild to hack its firewalls.
On February 12, Palo Alto Networks published 10 new security advisories to inform customers about the availability of patches for various vulnerabilities.
One of them was CVE-2025-0108, an authentication bypass vulnerability that hackers started exploiting the next day, after technical details and proof-of-concept (PoC) exploit code was made public.
Palo Alto Networks confirmed exploitation, as well as reports that CVE-2025-0108 can be chained with CVE-2024-9474 — a previously known to be exploited flaw — for remote code execution.
Another vulnerability for which Palo Alto published an advisory on February 12 was CVE-2025-0111, described as a file read issue in PAN-OS that allows “an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the ‘nobody’ user”.
The cybersecurity firm updated its advisory for CVE-2025-0111 on Thursday to warn customers that it has seen exploitation attempts chaining CVE-2025-0108 with CVE-2024-9474 and CVE-2025-0111 against unpatched firewalls.
When Palo Alto’s advisory for CVE-2025-0111 was published, the vulnerability was described as ‘medium severity’ and it had a ‘moderate urgency’ rating. The advisory has now been updated to describe it as a high-severity issue with the ‘highest’ urgency.
“We continue to monitor the situation and leverage the currently operational mechanisms to detect customer compromises in telemetry and TSFs and support them through the EFR remediations,” Palo Alto told SecurityWeek.
“Customers with any internet-facing PAN-OS management interfaces are strongly urged to take immediate action to mitigate these vulnerabilities. Securing external-facing management interfaces is a fundamental security best practice, and we strongly encourage all organizations to review their configurations to minimize risk,” it added.
Attempts to exploit CVE-2025-0108 were seen by both threat intelligence firm GreyNoise, which has to date seen attack attempts coming from over 30 unique IPs, and cybersecurity non-profit Shadowserver Foundation, which is currently seeing over 3,000 internet-exposed PAN-OS management interfaces.
CISA on Thursday added CVE-2025-0111 to its Known Exploited Vulnerabilities (KEV) catalog, instructing federal agencies to address it by March 13.
There does not appear to be any public information describing attacks involving exploitation of CVE-2025-0111 and CVE-2025-0108. Security firm Arctic Wolf pointed out that in previously observed attacks — involving CVE-2024-9474 and CVE-2024-0012 (a vulnerability similar to CVE-2025-0108) — hackers extracted firewall configurations and deployed malware on compromised devices.
Palo Alto Networks is urging customers to immediately apply patches or at least restrict access to the management interface to trusted internal IP addresses. Customers with a Threat Prevention subscription should enable Threat IDs 510000 and 510001 to block attacks exploiting these vulnerabilities.
*updated with statement from Palo Alto Networks and recommendations from the company
Related: PoC Exploit Published for Critical Ivanti EPM Vulnerabilities
Related: Microsoft Patches Exploited Power Pages Vulnerability
Related: SonicWall Firewall Vulnerability Exploited After PoC Publication
