Summary

Earlier this month we published an advisory about CVE-2025-0108, a vulnerability which allows an unauthenticated attacker to access the web management user interface of Palo Alto Networks’ PAN-OS and invoke certain scripts. Along with the aforementioned bug nine others were disclosed, all less severe as they offered less utility to potential attackers. Since the original time of writing, proof-of-concept exploit code for CVE-2025-0108 has been publicly released and used in the wild. Additionally, one of the nine less-severe bugs included in the PAN disclosure, CVE-2025-0111, has been upgraded from Medium severity/Moderate urgency to High severity/Highest urgency. It allows an authenticated attacker with access to the web management UI to read les on the PAN-OS lesystem which are readable by the nobody user, and Palo Alto has warned that CVE-2025-0111 is being chained with CVE-2025-0108 and CVE-2024-9474: to exactly what end is still unknown, but prior attacks involving CVE-2024-9474 and a vulnerability similar to CVE-2025-0108 resulted in the extraction of rewall con gurations and deployment of malware on compromised appliances. CISA has added CVE2025-0111 to its Known Exploited Vulnerabilities (KEV) catalog.

Affected Systems and/or Applications

Mitigation/Solution

As with CVE-2025-0108, Palo Alto recommends restricting access to the management UI from external IPs, which greatly reduces the overall risk of exploitation, as well as patching to a PAN-OS version listed below. Additionally, customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 510000 and 510001.

Furthermore, Palo Alto offers detection of internet-facing devices through their support portal:

1. To find any assets that require remediation action, visit the Assets section of the Customer SupportPortal at https://support.paloaltonetworks.com (Products → Assets → All Assets → RemediationRequired).
2. Review the list of your devices that we discovered in our scans to have an internet-facingmanagement interface and that we tagged with ‘PAN-SA-2024-0015’ and a last seen timestamp (inUTC). If you do not see any such devices listed, then our scan did not fi nd any devices on youraccount to have an internet-facing management interface within the past three days.

What the Cyber Fusion Center is Doing

The CFC will continue to monitor the situation and send an advisory update if needed. Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.

• Qualys ID: 732236 Tenable ID
• Tenable ID: https://www.tenable.com/cve/CVE-2025-0111

References

• https://security.paloaltonetworks.com/CVE-2025-0111
• https://www.securityweek.com/second-recently-patched- aw-exploited-to-hack-palo-alto- rewalls/

‍