PAN-PAN-PAN-OS: Palo Alto Firewalls Under Attack (Again)
Scrotes chain three flaws to take full control—seems pretty easy.
Hackers are actively exploiting a Palo Alto Networks firewall bug. The vulnerability allows root-level access to firewalls running PAN-OS. IT drones are urged to patch immediately.
People are pointing the finger towards Palo Alto. In today’s SB Blogwatch, we watch the blame-game play out.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Mars refusing to share.
Time to Declare an Emergency?
What’s the craic? Shweta Sharma reports: Hackers gain root access to Palo Alto firewalls through chained bugs
“Root-level access”
A high-severity authentication bypass vulnerability … is now being actively exploited by threat actors to gain root-level access to affected firewall systems. Tracked as CVE-2025-0108, the vulnerability allows an unauthenticated attacker with network access to the PAN-OS management web interface to bypass authentication requirements.
…
Threat actors are chaining CVE-2025-0108 and CVE-2024-9474 with a high-severity flaw (CVE-2025-0111) for unauthorized root-level access to vulnerable systems, potentially allowing extraction of sensitive configuration data and user credentials.
Is it easy to exploit? Let’s turn to Carly Page: Palo Alto Networks warns of another firewall vulnerability under attack
“Complexity of the attack is low”
It’s not known who is behind these attacks, or whether any sensitive data has been stolen from customers’ networks. Palo Alto Networks did not immediately respond.
…
Palo Alto Networks hasn’t explained how the three vulnerabilities are being chained together by hackers, but noted that the complexity of the attack is “low.” … CISA, the U.S. government’s cybersecurity agency, added the latest Palo Alto bug to its publicly listed Known Exploited Vulnerabilities (KEV) catalog on Tuesday.
What should we do about it? GreyNoise’s Noah Stone is tracking the perps: Active Exploitation of PAN-OS Authentication Bypass
“Take immediate steps”
[We see] 25 malicious IPs actively exploiting CVE-2025-0108, up from 2 on February 13. Top 3 source countries of attack traffic: United States, Germany, Netherlands.
…
Organizations relying on PAN-OS firewalls should assume that unpatched devices are being targeted and take immediate steps to secure them.
How does this keep happening? likeabatterycar sees the problem:
Fortune 500s pay Palo Alto millions a year for their product and it’s written in PHP?
Blame the devs? Teal Bee catches the ball and runs with it:
Palo Alto … employ PHP developers to develop its management interface. … If it can be accessed over Ethernet then it will be accessed over the Internet, whether you intended that or not.
Blame the management? SQL Error isn’t hanging about:
If a firewall ships with PHP enabled, that vendor deserves to go bankrupt. The faster the better.
Blame the docs? So says u/Dry-Specialist-3557:
Does anybody else notice how bad Palo Alto’s Documentation is lately? For example, we have been trying to patch CVE-2025-0108. … A few days ago they dropped 10.2.10-h14, and it was not listed as patching this major CVE. … I opened a TAC case and they did nothing.
…
How in the world are Palo Alto customers supposed to identify specific issues and which versions patch/fix the issues when their documentation contradicts itself and their TAC support does nothing? … How is this acceptable?
Or, blame the customer? rumpledoll calls it “Amazing!”
After all these years of what seems like every vendor having an issue like this, … what dimwitted idiot incompetent would put the web interface reachable directly by the public internet?
But should we be surprised? rolph sure ain’t:
Guess how I was made aware that Palo Alto exists? As a consistent top 20 offender in my block list for port scans and login attempts, resulting in a hard ban of the entire address range.
Meanwhile, ecofeco gives the ’sploit a cool nickname:
Palo Faulto.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Bing Hui Ya (via Unsplash; leveled and cropped)
