Network Firewalls, Network Access Control,
Security Operations
Increase in Attack Attempts Observed Following Palo Alto Networks’ Disclosure and Patching of Vulnerability
Cybercriminals have ramped up their attempts to exploit a critical vulnerability affecting Palo Alto Networks firewall appliances, which may potentially grant them direct access to the device’s core software. This vulnerability, disclosed by Palo Alto Networks, has been assigned the identifier CVE-2025-0108, which pertains to the authentication bypass flaw in the PAN-OS operating system.
The vulnerability enables attackers without authentication and with network accessibility to the management web interface to negate the authentication normally required, thereby allowing execution of specific PHP scripts. While this exploitation does not permit remote code execution, it poses risks to the integrity and confidentiality of PAN-OS.
Following the announcement, GreyNoise, a threat intelligence service that monitors malicious activity using honeypots, reported active exploitation attempts of this flaw. They indicated that the vulnerability presents a high-severity risk as unauthenticated attackers can leverage it to execute PHP scripts, potentially leading to unauthorized access to affected systems.
The Shadowserver Foundation noted a marked increase in attack attempts on its honeypots beginning Thursday, with approximately 3,500 PAN-OS management interfaces detected as exposed to the internet, mainly across regions in Asia and North America. Shadowserver cautioned that these systems remain vulnerable until they are patched, urging organizations to remove management interfaces from public access.
Researchers are linking this uptick in exploit attempts to both criminal organizations and nation-state actors. Such edge devices, including routers and VPN appliances, are primary targets, underlining the persistent threat landscape. Palo Alto Networks confirmed the existence of CVE-2025-0108 across multiple PAN-OS versions and released patches to mitigate the risk. Organizations are advised to upgrade from outdated versions which have reached the end of life.
Notably, the vulnerability does not affect Palo Alto’s cloud-based NGFW or Prisma Access services. The flaw was discovered by AssetNote, an Australian attack surface management firm, which identified the root cause tied to how authentication requests are processed through the open-source web servers Nginx and Apache.
The ongoing risk, as emphasized by GreyNoise, extends to all internet-exposed PAN-OS management interfaces. Organizations leveraging these firewalls are urged to assume that unpatched devices are potential targets and to take immediate precautionary measures to secure them. The risk intensifies for those allowing management interface access from the internet or untrusted networks.
To mitigate exposure, Palo Alto recommends restricting management interface access to trusted IP addresses—a long-standing best practice for securing management interfaces. Additionally, it is advisable to deploy a dedicated VLAN to isolate these access points, utilize jump servers to enhance auditing, and enforce secure connection protocols such as SSH and HTTPS.
As the cybersecurity threat landscape evolves, business owners must prioritize vigilance and proactive measures to protect their digital infrastructures from emerging vulnerabilities and exploit attempts, particularly those targeting critical firewall services.
