CVE-2025-0108 Detection: Active Exploitation of an Authentication Bypass Palo Alto Networks PAN-OS Software

A recently patched firewall flaw in Palo Alto Networks PAN-OS, tracked as CVE-2025-0108, lets cybercriminals with network access to the management web interface bypass authentication and execute certain PHP scripts. Although this doesn’t lead to remote execution of malicious code, this critical flaw still poses risks to the integrity and security of PAN-OS products. The growing exploit attempts combining CVE-2025-0108, CVE-2024-9474, and CVE-2025-0111 on vulnerable PAN-OS instances require ultra-responsiveness from defenders.

Detect CVE-2025-0108 Exploitation Attempts

GitHub indicates that by late 2024, an average of 115 CVEs were disclosed daily, with 124% increase in cyber-attacks leveraging vulnerabilities during Q3 2024. Therefore, proactive detection of vulnerability exploitation remains one of the top use cases for cyber defenders globally. 

SOC Prime Platform for collective cyber defense offers a broad collection of Sigma rules addressing vulnerability exploitation, backed by a complete product suite for automated threat hunting, AI-powered detection engineering, and intelligence-led threat detection. A Sigma rule detecting CVE-2025-0108 is also on the list, so you can check out all the ins and outs of this content below: 

Possible CVE-2025-0108 (PAN-OS Authentication Bypass) Exploitation Attempt (via webserver)

This rule by the SOC Prime Team is based on the publicly accessible PoC exploit and helps to detect attacks leveraging CVE-2025-0108 in order to gain initial access to the targeted systems. The detection is compatible with 22 SIEM, EDR, and Data Lake solutions and mapped to MITRE ATT&CK addressing Initial Access tactics, with Exploit Public-Facing Application (T1190) as a main technique.

View Sigma Rule

As in the most recent attacks the vendor observed CVE-2025-0108 being chained with CVE-2024-9474, security experts might review the rule collection addressing its exploitation. The rules are mostly referred to the recent campaign where hackers leveraged CVE-2024-9474 chained with another auth bypass flaw in PAN-OS (CVE-2024-0012) to compromise internet-exposed Palo Alto Networks firewalls. Check out Sigma rules set here.  

Additionally, security professionals might review the entire rule collection addressing vulnerability exploitation by filtering detection content in the Threat Detection Marketplace with a “CVE” tag.

CVE-2025-0108 Analysis

Palo Alto Networks warns that hackers are promptly leveraging CVE-2025-0108 for in-the-wild attacks. The issue has been addressed in PAN-OS versions 10.2.14, 11.0.7, 11.2.5, and all subsequent releases. Announced on February 12 alongside updates and mitigations, a recently fixed firewall bug with a CVSS score reaching 8.8. allows unauthenticated access to the PAN-OS admin interface and execution of PHP scripts. Defenders spotted the first exploitation attempts on February 13, flagging the activity as malicious with nearly 30 unique IPs already compromised.

Notably, CVE-2025-0108 could be chained with CVE-2024-9474 to achieve RCE. The latter flaw, which has also been patched, is spotted under exploitation alongside CVE-2024-0012. The Shadowserver Foundation detected in-the-wild exploits with a public PoC and reported 3,500 exposed PAN-OS interfaces as of mid-February.

As possible mitigation recommendations for CVE-2025-0108 to reduce risks of the intrusion, organizations are urged to install the latest fixed versions and restrict management interface access to a jump box or trusted internal IPs. By leveraging SOC Prime Platform for collective cyber defense, organizations can stay ahead of adversaries and timely safeguard their infrastructure against in-the-wild exploits while strengthening the cybersecurity posture.