In recent days, Veriti Research has observed multiple attack attempts exploiting CVE-2025-0108, a critical authentication bypass vulnerability affecting Palo Alto PAN-OS. This vulnerability is actively being leveraged in the wild, highlighting the immediate need for organizations to assess their exposure and remediate immediately. 

The Vulnerability: How Attackers Are Exploiting CVE-2025-0108 

According to multiple security researchers, CVE-2025-0108 is trivial to exploit, making it an attractive target for threat actors. The attack is easy to execute, requiring minimal effort from adversaries to compromise exposed devices. 

Security professionals have already shared proof-of-concept exploitation techniques on social media, increasing the likelihood of widespread abuse. A screenshot of the attack being executed can be seen below: Source. 

How Many Devices Are at Risk? 

Data from security research platforms, including Censys, suggests thousands of Palo Alto devices are currently exposed on the internet. While some organizations have taken steps to remediate the issue, a significant number of vulnerable devices remain unpatched and accessible. 

Even though there has been a decline in the number of exposed devices, recent scans confirm thousands of vulnerable Palo Alto devices are still accessible online. This continued exposure increases the likelihood of large-scale exploitation. 

Who Are the Attackers? Known Malicious Activity 

Several IP addresses have been identified as actively targeting organizations worldwide: 

There are still thousands of exposed devices 

One notable attack campaign leverages Silver Malware, a sophisticated tool linked to offensive cybersecurity operations. More details on Silver Malware can be found here: Malpedia Sliver. 

Additionally, a malicious payload associated with Palo Alto NGFW attacks has been detected in the wild: VirusTotal link. 

How Veriti Protects their Customers 

At Veriti, we analyzed how organizations are currently handling this vulnerability. Our findings reveal a critical security gap: 

• More than 50% of organizations have the necessary protections in place but running in ‘Inactive Mode’. 

• This means that even though security controls exist, they are not actively blocking attacks, leaving organizations vulnerable to exploitation. 

• Veriti customers are already protected –  

• Veriti has automatically released a custom protection for direct remediation using compensating controls. 

• Veriti had updated all of the security controls with the latest IoCs related to the attackers 

• Veriti automatically detects this issue and provides immediate insight with direct remediation by enabling protections to block mode.  

Given the urgency and active exploitation of CVE-2025-0108, Veriti strongly recommends organizations take the following actions: 

• Check for Exposure: Identify Palo Alto PAN-OS instances in your environment and assess whether they are vulnerable. 

• Activate Compensating Controls: Ensure that security protections are not just enabled but actively blocking attacks. 

• Monitor for IoCs: Watch for any suspicious activity or known attacker IPs in your network logs. 

• Leverage Veriti for Automated Exposure Assessments and Safe Remediation: Veriti identifies inactive security protections and can safely enable them to block mode, reducing the risk of exploitation.