Cyberattacks on Palo Alto PAN-OS and Craft CMS underway

The US IT security authority CISA warns of attacks on security vulnerabilities in Craft CMS and in Palo Alto Network's firewall operating system PAN-OS. Updates are available for the attacked vulnerabilities, which IT managers should install now at the latest.

In the CISA warning, the authority mentions, for example, a vulnerability in PAN-OS that was reported a week ago and closed with software updates and on which cyberattacks have been observed. This involves bypassing authentication in the management web interface of the firewalls. Although the vulnerability does not allow malicious code to be injected, attackers with access to the interface can access it without logging in and call certain PHP scripts (CVE-2025-0108, CVSS 8.8, risk"high"). Exploit code was already available last week, which malicious actors are now apparently using on the Internet.

Update plugs PAN-OS gaps

Updates for the affected operating system versions have also been available for a week: PAN-OS 10.1.14-h9, 10.2.13-h3, 11.1.6-h1 and 11.2.4-h4 and newer versions of each close the gaps.

CISA is also aware of attacks on vulnerabilities in the Craft content management system. The vulnerability under attack allows attackers to inject and execute malicious code from the network. It affects Craft 4 and 5 installations in which the security key has been compromised (CVE-2025-23209, CVSS 8.1, high). Admins should keep this key secret at all costs, explains a paragraph from the instructions for securing Craft. The vulnerability description mentions Craft 5.5.8 and 4.13.8 and newer versions as bug fixes.

CISA does not provide details of the observed attacks. The scope is therefore unclear. There are also no indications of infections (Indicators of Compromise, IOCs) that IT managers could use to check whether their systems have been (successfully) attacked. It therefore remains for them in particular to apply the available updates.

(dmk)