Palo Alto PAN-OS: Exploit code for high-risk vulnerability has emerged
There are security gaps in the PAN-OS operating system for firewalls from Palo Alto Networks. Exploit code already exists for one of them.
(Image: bluebay/Shutterstock.com)
Palo Alto Networks has published security bulletins on four vulnerabilities in the PanOS firewall operating system. Exploit code already exists for one high-risk vulnerability. Attacks are very likely in the near future.
According to Palo Alto's announcement, the vulnerability with the highest severity level concerns a possible bypass of authentication in the management web interface. Unregistered attackers with access to the interface can access it without logging in and call certain PHP scripts. Although this does not enable code smuggling, it can compromise the integrity and confidentiality of PAN-OS (CVE-2025-0108, CVSS 8.8, risk"high"). The CERT-Bund of the BSI points out that exploit code is available that demonstrates the misuse of the vulnerability. Criminals can easily adapt it.
Further security vulnerabilities in PAN-OS
Due to a vulnerability in the OpenConfig plug-in for PAN-OS, logged-in administrators can send requests to the PAN-OS web management interface and bypass access restrictions to execute arbitrary commands(CVE-2025-0110, CVSS 8.6, high). In addition, logged-in attackers can read files as user "nobody"(CVE-2025-0111, CVSS 7.1, high). Furthermore, attackers can delete certain files as user "nobody" without prior login, such as some log and configuration files(CVE-2025-0109, CVSS 6.9, medium).
Videos by heise
Palo Alto currently uses the consistently lower "temporal score" for the risk assessment; other providers usually use the acute CVSS value. This shows that the first two vulnerabilities fall just short of "critical" risk and that a vulnerability classified as medium risk by Palo Alto actually represents a high risk.
Admins should install the available PAN-OS updates quickly. PAN-OS 10.1.14-h9, 10.2.13-h3, 11.1.6-h1 and 11.2.4-h4 and newer versions close the gaps. In addition, the update to the OpenConfig plug-in 2.1.2 corrects the security-relevant errors. Palo Alto's Cloud NGFW and Prisma Access are not affected by the vulnerabilities.
Vulnerabilities in the firmware and bootloaders of Palo Alto forwalls were discovered around two weeks ago.
(dmk)
