Palo Alto Networks firewall bug being exploited by threat actors: Report

Admins with firewalls from Palo Alto Networks should make sure the devices are fully patched and the management interface blocked from open internet access after the discovery this week of a zero-day login authentication bypass in the PAN-OS operating system.

The discovery of the vulnerability (CVE-2025-0108) was made by researchers at Assetnote and, according to researchers at Greynoise, is already being exploited.

For its part, Palo Alto Networks (PAN) said administrators can “greatly reduce the risk” of exploitation by restricting access to the management web interface to only trusted internal IP addresses, according to its recommended best practices deployment guidelines. “This will ensure that attacks can succeed only if they obtain privileged access through those specified IP addresses,” the company said.

Security experts regularly warn network admins and infosec pros about the dangers of exposing device management interfaces to the open internet. One way to protect them is by accessing them via a virtual private network (VPN), while another is by restricting access to only internal IP addresses.

Finding at-risk devices

To find any assets that require remediation, PAN says admins should go to the Assets section of its Customer Support Portal and look for the Remediation Required section. A list of the devices that have an internet-facing management interface and tagged with ‘PAN-SA-2024-0015’ will be displayed. If no devices are listed, then none have an internet-facing management interface.

Note that if a management profile on interfaces with GlobalProtect portals or gateways has been configured, a PAN device is exposed through the management web interface, which is typically accessible on port 4443.

The issue doesn’t affect the company’s Cloud NGFW or Prisma Access software.

Greynoise said exploitation began around Tuesday of this week. Assetnote published research about the hole on Wednesday. Palo Alto Networks published its advisory the same day.

‘Weird path-processing behavior’

The vulnerability, Assetnote said, is a “weird path-processing behavior” in the Apache HTTP server part of PAN-OS, which, along with Nginx, handles web requests to access the PAN-OS management interface. The web request first hits the Nginx reverse proxy, and if it is on a port that indicates it’s destined for the management interface, PAN-OS sets several headers; the most important of them is X-pan AuthCheck. The Nginx configuration then goes through several location checks and selectively sets the auth check to off. The request is then proxied to Apache, which will re-normalize and re-process the request as well as apply a rewrite rule under certain conditions. If the file requested is a PHP file, Apache will then pass through the request via mod_php FCGI, which enforces authentication based upon the header.

The problem is that Apache may process the path or headers differently to Nginx before the access request is handed to PHP, so if there is a difference between what Nginx thinks a request looks like and what Apache thinks it looks like, an attacker could achieve an authentication bypass. 

Assetnote describes this as a “quite common” architecture problem where authentication is enforced at a proxy layer, but then the request is passed through a second layer with different behavior. “Fundamentally,” the research note added, “these architectures lead to header smuggling and path confusion, which can result in many impactful bugs.”