Critical Palo Alto Firewalls Vulnerability Exploited in the Wild to Gain Root Access
Palo Alto Networks confirms critical PAN-OS vulnerabilities CVE-2025-0108 and CVE-2024-9474 are being actively exploited, allowing attackers to gain root access to unpatched firewalls.
What’s new: Palo Alto Networks has confirmed that a critical authentication bypass vulnerability in its PAN-OS management web interface is being actively exploited in the wild. When chained with a separate privilege escalation flaw, attackers can gain full root access to unpatched firewalls — posing a serious risk to enterprise networks worldwide.
The Vulnerabilities
CVE-2025-0108 is a high-severity flaw (CVSS 8.8) in the PAN-OS web management interface that allows an unauthenticated attacker with network access to bypass login controls and invoke privileged backend PHP scripts. This effectively enables the attacker to act as an administrator on the firewall’s management interface without any credentials.
When chained with CVE-2024-9474, a privilege escalation vulnerability, attackers can elevate their access from administrator to root — gaining complete control over the firewall and the ability to execute arbitrary commands on the underlying operating system.
Who’s Affected
Organizations running unpatched versions of PAN-OS across the following release tracks are at risk:
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.1
- PAN-OS 11.2
Any organization with Palo Alto Networks firewalls that have management interfaces accessible over the network — especially those exposed to the internet — should treat this as an urgent priority.
Active Exploitation Confirmed
Security researchers and threat intelligence teams, including Arctic Wolf and Rapid7, have confirmed active exploitation attempts targeting these vulnerabilities. Attackers are scanning for exposed PAN-OS management interfaces and leveraging the authentication bypass to gain initial access, then chaining the privilege escalation to achieve root-level compromise.
What to Do Now
- Patch immediately: Palo Alto Networks released security updates on February 19, 2025 for CVE-2025-0108 and the related file read vulnerability CVE-2025-0111. Apply updates across all affected PAN-OS release tracks (10.1, 10.2, 11.1, and 11.2).
- Restrict management access: Ensure firewall management interfaces are not exposed to the public internet. Limit access to trusted internal networks or dedicated management VLANs.
- Monitor for indicators of compromise: Review firewall logs for unusual administrative activity, unexpected PHP script execution, or unauthorized configuration changes.
- Audit your attack surface: Use network security scanning tools like NSAuditor to identify exposed management interfaces across your infrastructure.
Why This Matters
Firewalls sit at the perimeter of enterprise networks and are trusted to enforce security policies. When a firewall is compromised at the root level, attackers can bypass all network security controls, intercept traffic, pivot deeper into internal networks, and maintain persistent access that is extremely difficult to detect.
The chaining of an authentication bypass with privilege escalation represents one of the most dangerous attack patterns — turning what would be a limited access issue into complete infrastructure compromise.
