Summary
A path-and-header mismatch between the PAN-OS Nginx proxy and downstream Apache/PHP lets an unauthenticated network attacker craft multi-encoded requests that reach protected PHP scripts without logging in. The flaw undermines confidentiality and integrity of the management plane and has been weaponized in the wild.
Urgent Actions Required
- Patch PAN-OS to the fixed build for your train (11.2.4-h4+, 11.1.6-h1+, 10.2.13-h3+, 10.1.14-h9+).
- Remove or block public/internet access to the management web interface.
- Restrict management access to a minimal set of trusted IPs or a jump host/VPN.
- Enable Palo Alto Threat Prevention signatures/content that address this attack class.
- Search logs for double-encoded /unauth/%252e%252e/... requests and 200 responses to internal PHP pages.
- Prioritize remediation of devices with internet-facing management ports.
- Block or throttle repeat exploit-source IPs observed in telemetry.
- Follow CISA and Palo Alto advisories — apply fixes or stop using the device.
- If compromised, isolate it and gather full logs for investigation.
Which Systems Are Vulnerable to CVE-2025-0108?
Technical Overview
- Vulnerability Type: Authentication bypass caused by path / header mismatch between Nginx → Apache → PHP (multi-encoded path traversal)
- Affected Software/Versions:
- PAN-OS 10.1: vulnerable in releases prior to 10.1.14-h9.
- PAN-OS 10.2: vulnerable in releases prior to 10.2.13-h3 (and certain earlier 10.2 minor builds as enumerated in vendor tables).
- PAN-OS 11.1: vulnerable in releases prior to 11.1.6-h1.
- PAN-OS 11.2: vulnerable in releases prior to 11.2.4-h4.
- Attack Vector: Network — requires access to the PAN-OS management web interface (HTTP/HTTPS)
- CVSS Score: 9.1
- CVSS Vector: v3.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
- Patch Availability: Yes, available
How Does the CVE-2025-0108 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2025-0108?
Vulnerability Root Cause:
PAN-OS’s management web interface doesn’t enforce authentication for some PHP scripts. An attacker with network access can call those scripts to bypass login — not RCE, but it can expose sensitive data and harm device integrity.
How Can You Mitigate CVE-2025-0108?
If immediate patching is delayed or not possible:
- Restrict access to the PAN-OS management web interface to trusted internal IP addresses only.
- Follow Palo Alto Networks’ recommended deployment and management access security guidelines.
- Disable external exposure of the management interface to reduce attack surface.
- Continuously monitor for unusual or unauthorized access attempts to the management interface.
Which Assets and Systems Are at Risk?
Asset Types Affected:
- PAN-OS firewalls using vulnerable versions.
- Devices with management interfaces open to untrusted networks.
Business-Critical Systems at Risk:
- Firewall management consoles – risk of unauthorized access and configuration exposure.
- Network security infrastructure – potential compromise of integrity and confidentiality of PAN-OS settings.
Exposure Level:
- Internet-exposed management interfaces – highly vulnerable and actively targeted.
- Internally managed systems – lower risk but still exposed if access controls are weak or misconfigured.
Will Patching CVE-2025-0108 Cause Downtime?
Patch application impact: Low. Updating to fixed PAN-OS versions resolves the issue with minimal downtime.
How Can You Detect CVE-2025-0108 Exploitation?
Exploitation Signatures:
- Double/multi-encoded path requests targeting /unauth/, e.g. /unauth/%252e%252e/php/ztp_gate.php/PAN_help/x.css.
-
Requests that resolve to /php/<script>.php (or similar management PHP endpoints) but originate via an /unauth/... style URL.
- Public PoC request shapes (publicly available).
Indicators of Compromise (IOCs/IOAs):
- HTTP GET/POST requests containing %252e%252e (double-encoded ..) under /unauth/.
- HTTP 200 OK responses from internal PHP management endpoints when no authentication session exists.
- Repeated exploit attempts from multiple distinct source IPs (reported by GreyNoise / Shadowserver).
- Presence of known PoC tooling or scripts scanning for CVE-2025-0108.
Behavioral Indicators:
- Management PHP pages returning successful content without prior login flow.
- Requests that trigger Apache internal redirects / rewrites (evidence in web server logs showing internal rewrite activity following the original request).
- High frequency of similarly-crafted requests (same double-encoded pattern) against management ports.
Alerting Strategy:
- Alert on any inbound request matching /unauth/%252e%252e/ or containing %252e%252e plus /php/.
- Alert if a management PHP endpoint returns 200 but no authentication token/session is present.
- Alert on bursts of CVE-2025-0108 PoC-like requests originating from multiple source IPs.
- Prioritize devices with internet-facing management ports for immediate review when any of the above is seen.
Remediation & Response
Mitigation Steps if No Patch:
- Restrict external access to the PAN-OS management web interface.
- Limit management access to trusted IPs or internal networks.
- Turn off unused admin interfaces like HTTP or HTTPS.
- Watch for unusual logins or access to the management portal.
Remediation Timeline:
- Immediate (0–2 hrs): Limit management interface exposure and restrict access through network controls.
- Within 8 hrs: Apply Palo Alto Networks’ fixed PAN-OS versions as per the official advisory.
- Within 24 hrs: Confirm all affected devices are patched and validate management interface access settings.
Rollback Plan:
- Review authentication logs for unauthorized or unexpected logins.
- Check for signs of configuration changes or new administrative sessions.
- Capture relevant system and access logs for forensic review.
- After patching, re-audit management access controls and confirm they match policy requirements.
Where Can I Find More Information on CVE-2025-0108?
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 9.1 | Critical severity, per CVSS v3.1 base score |
| Attack Vector | Network | Exploited remotely through the PAN-OS management web interface |
| Attack Complexity | Low | Exploitation requires no special conditions |
| Privileges Required | None | No authentication or credentials are needed |
| User Interaction | None | Exploitation occurs without user action |
| Scope | UnChanged | Impact is limited to the affected system component |
| Confidentiality Impact | High | Allows exposure of sensitive configuration or data |
| Integrity Impact | High | Enables unauthorized modification or control |
| Availability Impact | None | References indicate no impact on service availability |
