icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

Attackers Are Chaining Flaws to Breach Palo Alto Networks Firewalls

Summary:
Exploitation attempts against CVE-2025-0108, a critical authentication bypass vulnerability affecting the management web interface of Palo Alto Networks’ firewalls, have surged in recent days. GreyNoise reports that the number of malicious IPs actively exploiting the flaw has increased from two on February 13 to 25, highlighting growing attacker interest. This high-severity vulnerability allows unauthenticated attackers to execute PHP scripts, which can lead to unauthorized access and potential full compromise of vulnerable systems.

Palo Alto Networks has confirmed that attackers are chaining CVE-2025-0108 with other vulnerabilities, particularly CVE-2024-9474 and CVE-2025-0111, to enhance the impact of their attacks. CVE-2024-9474 is an OS command injection vulnerability that enables privilege escalation to root, granting attackers full control over the firewall. Meanwhile, CVE-2025-0111 is an authenticated file read flaw, allowing attackers to access sensitive files within the PAN-OS filesystem that are readable by the “nobody” user.

Threat actors have been actively exploiting CVE-2024-9474 since at least November 2025. Previous attacks leveraged it alongside CVE-2024-0012—another authentication bypass flaw—to exfiltrate sensitive configuration files, deploy a command-and-control implant, and install an obfuscated PHP web shell. Additionally, attackers deployed the XMRig cryptocurrency miner to abuse system resources for illicit mining operations. These exploits demonstrate the ability to pivot from initial access to long-term persistence within compromised environments.

Security Officer Comments:
CVE-2025-0108 and CVE-2025-0111 were publicly disclosed last week via Palo Alto Networks’ security advisories following the release of PAN-OS patches addressing these and other vulnerabilities. Notably, CVE-2025-0108 was reported by researchers at Assetnote, who released detailed technical findings along with a proof-of-concept exploit on the same day the advisory went public. Exploitation attempts began almost immediately, underlining how rapidly threat actors incorporate newly disclosed vulnerabilities into their attack operations.

Suggested Corrections:
Organizations with internet-facing Palo Alto Networks’ firewalls that haven’t been upgraded immediately after the release of the latest security updates should assume the devices have been compromised. They should look for the presence of planted malware and for evidence of exploitation attempts coming from unexpected IPs. (Unfortunately, there are no publicly available indicators of compromise yet.) According to GreyNoise, the top 3 source countries of attack traffic are the United States, Germany, and the Netherlands. Both compromised and not compromised devices should be updated to one of the supported fixed versions. Organizations should also seriously consider securing access to their PAN devices’ management interface.

Link(s):
https://www.helpnetsecurity.com/202...ls-cve-2025-0108-cve-2024-9474-cve-2025-0111/ 

https://slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os/

Contact Us for Threat Assistance
Back to Current Threats