- Palo Alto Networks is warning of an ongoing attack against its firewalls
- The threat actors are chaining multiple flaws together
- The goal is to download configuration files
Palo Alto Networks has warned its users of an ongoing attack that chains multiple vulnerabilities together to download configuration files and other sensitive information.
The cybersecurity company warned its users about CVE-2025-0111, a 7.1/10 (high-severity) file read vulnerability plaguing PAN-OS firewalls. This bug allows an authenticated attacker with network access to access the management web interface and read files usually readable by the “nobody” user.
The bug was fixed on February 12, 2025, when Palo Alto released a fix and urged users to apply it.
Diversion
On the same day, the company addressed a separate vulnerability, tracked as CVE-2025-0108. This one is an authentication bypass in PAN-OS that enables an unauthenticated attacker with network access to the web interface to bypass the authentication otherwise required by the PAN-OS interface, and invoke certain PHP scripts.
Finally, in mid-November 2024, Palo Alto fixed a privilege escalation bug tracked as CVE-20204-9474. Now, researchers are saying that these three are being chained together in ongoing attacks.
“Palo Alto Networks has observed exploit attempts chaining CVE-2025-0108 with CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces,” it was said in the security advisory.
The company did not discuss the details of the attack, but BleepingComputer found that they are being used to download configuration files and other sensitive information.
So far, at least 25 different IP addresses were observed targeting CVE-2025-0108, up from just two a week ago. The top sources of the attacks seem to be the US, Germany, and the Netherlands, although this doesn’t necessarily mean the threat actors are located there.
While the community rushes to apply the patch and mitigate potential risks, the US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-0108 to its ‘Known Exploited Vulnerabilities’ (KEV) catalog, giving users until March 11 to patch up.
Leave a comment