DIVD-2025-00004 - Authentication Bypass in PAN-OS Management Web Interface
| Our reference | DIVD-2025-00004 |
| Case lead | Frank Breedijk |
| Researcher(s) |
|
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Install the updates provided by the vendor. Make sure your management interface is not exposed to the internet. |
| Patch status | Fully patched |
| Status | Open |
| Last modified | 20 Feb 2025 11:35 CET |
Summary
Due to confusion between the ngnix and apache web servers/proxies used to serve the PAN-OS web managmenet interface, it is possible to access certain PHP scripts on Palo Alto devices running PAN-OS without authentication as described in : CVE-2025-0108 . Running these scripts can lead to a compromise of the confidentiality and integrity of the device.
What you can do
It is highly recommended not to publicly expose management interfaces of edge devices to the internet. This is also the case for PAN-OS device as per their best practices deployment guidelines.
- If you have the management interface of your PAN-OS device exposed to the internet, please restrict access to trusted IP addresses only.
- Install vendor supplied patches
What we are doing
DIVD is currently scanning the internet for vulnerable devices. Once devices are identified we will warn the administrators of the networks they are located in.
Timeline
| Date | Description |
|---|---|
| 12 Feb 2025 | Palo Alto published advisory PAN-273971 and released patches |
| 12 Feb 2025 | Assetnote releases full vulnerability details |
| 13 Feb 2025 | First attacks observed by GreyNoise |
| 13 Feb 2025 | Nuclei template published on GitHub |
| 14 Feb 2025 | DIVD Starts investigation |
| 20 Feb 2025 | Case opened |
gantt
title DIVD-2025-00004 - Authentication Bypass in PAN-OS Management Web Interface
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2025-00004 - Authentication Bypass in PAN-OS Management Web Interface (still open) :2025-02-20, 2025-02-27
section Events
Palo Alto published advisory PAN-273971 and released patches : milestone, 2025-02-12, 0d
Assetnote releases full vulnerability details : milestone, 2025-02-12, 0d
First attacks observed by GreyNoise : milestone, 2025-02-13, 0d
Nuclei template published on GitHub : milestone, 2025-02-13, 0d
DIVD Starts investigation : milestone, 2025-02-14, 0d
Case opened : milestone, 2025-02-20, 0d
More information
- CVE-2025-0108
- Palo Alto advisory PAN-273971
- Assetnote article with full disclosure
- GreyNoise article about exploitation in the wild
- Nuclei template developed by Humberto Júnior