Earlier this year, Santa Clara-based cybersecurity firm Palo Alto Networks patched a serious vulnerability in its PAN-OS management system that allowed attackers to bypass authentication. The security flaw (CVE-2025-0108) scored 7.8 on the CVSS severity scale – high enough to raise serious concerns. The vulnerability was significant enough that CISA later added it to their Known Exploited Vulnerabilities (KEV) catalog, highlighting its importance. 

This vulnerability allowed hackers with network access to bypass authentication, run certain PHP scripts, gather intelligence for future attacks, or modify security settings to weaken defenses. The case provides valuable insights into how quickly threat actors can mobilize once vulnerabilities are disclosed. 

Understanding the Vulnerability 

According to Palo Alto’s February 12th advisory, the flaw compromised both privacy and integrity within PAN-OS. The good news? It didn’t allow for remote code execution. 

The company’s advisory explained: “An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts.” 

“While invoking these PHP scripts does not enable remote code execution, it can negatively impact the integrity and confidentiality of PAN-OS,” Palo Alto Networks added. 

These PAN-OS versions were vulnerable: 

• PAN-OS 10.1 before 10.1.14-h9 

• PAN-OS 10.2 before 10.2.13-h3 

• PAN-OS 11.0 (which needed immediate upgrading since it was already unsupported) 

• PAN-OS 11.1 before 11.1.6-h1 

• PAN-OS 11.2 before 11.2.4-h4 

Adam Kues, the security researcher at Searchlight Cyber/Assetnote who discovered the flaw, found that it stemmed from inconsistencies between how Nginx and Apache components handled incoming requests, opening the door to directory traversal attacks. 

Palo Alto Networks also fixed two other security issues in that February update: 

• CVE-2025-0109: A file deletion vulnerability (CVSS 5.5) letting unauthenticated attackers delete specific files like configuration data and logs 

• CVE-2025-0110: A command injection vulnerability (CVSS 7.3) in the OpenConfig plugin allowing authenticated admins to run arbitrary commands 

Observed Attacks Following Disclosure 

Security researchers at GreyNoise Intelligence soon detected attempts targeting this vulnerability. Just one day after the flaw was publicized, attackers began scanning for and attempting to exploit vulnerable PAN-OS instances. 

The situation escalated rapidly. Within five days of the initial disclosure, GreyNoise observed a significant increase in malicious activity, tracking 25 distinct IP addresses actively exploiting the vulnerability – up from just 2 IPs when attacks first began. 

Most attack traffic originated from three primary countries: the United States, Germany, and the Netherlands. The rapid exploitation prompted Palo Alto Networks to classify CVE-2025-0108 as “Highest Urgency” for defenders, emphasizing the critical nature of applying patches immediately. 

Why PAN-OS Security Matters 

PAN-OS is the operating system behind all Palo Alto Networks firewalls, combining AI, machine learning, and advanced threat prevention to protect networks across applications, devices, and users. 

Its importance stems from how it gives security teams visibility and control through technologies like User-ID, Device-ID, App-ID, and Content-ID. 

PAN-OS provides several critical security functions: 

• Application inspection, allowing security teams to set policies based on specific applications rather than just port numbers 

• Machine learning to detect and block emerging threats like malware and zero-day exploits 

• Multiple integrated security functions (antimalware, intrusion prevention, URL filtering, data loss prevention) in one platform 

• Smooth integration with cloud environments 

These capabilities make PAN-OS a foundational component of many organizations’ security architectures, which is why vulnerabilities in this system can have wide-reaching implications. 

Anatomy of Authentication Bypass Attacks 

This incident illustrated how authentication bypass attacks work in practice. These attacks occur when threat actors circumvent systems designed to verify identity and authorization. While authentication typically relies on passwords, certificates, or other verification methods, implementation flaws can create security gaps. 

Once attackers bypass authentication in this case, they could: 

• Escalate their privileges and access restricted areas 

• View, change, or delete sensitive information 

• Install malware and change system settings 

• Take over administrator accounts 

These attacks typically follow a pattern: 

1. Information Gathering: Attackers map out login points, authentication methods, exposed APIs, and potential weak spots 

2. Approach Selection: They choose their attack method – often SQL injection, brute force, session hijacking, or URL manipulation 

3. Attack Execution: They bypass authentication without legitimate credentials 

4. Access Expansion: Once inside, they can steal information, disable security logging, escalate privileges, and create backdoors 

5. Evidence Removal: They conceal evidence using VPNs, altered timestamps, or erased logs 

Post-Exploitation Techniques 

After bypassing authentication in a system like PAN-OS, attackers typically have several options: 

Remote Access Trojans: These allow attackers to control systems remotely, executing commands, disabling security features, and stealing data through hidden communication channels. 

Keyloggers: By capturing keystrokes, attackers can collect login credentials and passwords, potentially using clipboard hijacking to grab copied passwords and gain control of other network components. 

Ransomware: Attackers can deploy encryption tools to block access to firewall settings, causing downtime and disrupting network operations until a ransom is paid. 

Botnets: Compromised systems can be turned into parts of larger networks for launching DDoS attacks or sending spam, with firewalls sometimes being used as proxies for other malicious activities. 

The rapid response from Palo Alto Networks in classifying this vulnerability as “Highest Urgency” reflected the serious damage these techniques could cause if successful exploitation occurred. 

Effective Mitigation Strategies 

Organizations using PAN-OS implemented these measures to protect their systems: 

• Applied security patches, upgrading to at least PAN-OS 10.1.14-h9, 10.2.13-h3, 11.1.6-h1, or 11.2.4-h4 

• Restricted access to firewall management interfaces, ensuring they weren’t exposed to the public internet 

• Implemented network segmentation to isolate critical infrastructure 

• Audited access logs for signs of suspicious activity, particularly access to management interfaces 

• When patches couldn’t be applied immediately, temporarily disabled web access to the management interface 

The speed at which organizations applied these mitigations played a significant role in limiting the impact of exploitation attempts. 

How Endpoint Privilege Management Could Have Helped 

While proper network segmentation and timely patching helped prevent these attacks, Endpoint Privilege Management (EPM) tools could have added an important layer of security by controlling who received admin access and when. 

Admin By Request EPM removes standing administrative privileges and instead requires users to request temporary admin rights only when needed. When someone needs to install something or change settings, Admin By Request manages this without giving them permanent admin access, creating a detailed audit trail in the process. 

This approach offers several advantages: 

• Run as Admin: Users can run specific applications with elevated rights without receiving full admin privileges 

• Temporary Admin Sessions: Users get time-limited admin access to complete necessary tasks 

• PIN Code Elevation: For special cases, admins can generate one-time PINs for temporary access 

• Pre-Approved Applications: Trusted applications can automatically run with elevated rights 

In the context of the PAN-OS vulnerability, Admin By Request would have helped by: 

• Limiting potential attack paths by reducing admin privileges 

• Providing detailed logs to quickly spot suspicious activity 

• Granting privileges only when needed, reducing the exposure window 

• Preventing unauthorized software from executing with admin rights 

Key Takeaways 

The PAN-OS vulnerability case demonstrated how quickly threat actors can mobilize once vulnerabilities are disclosed. CISA’s addition of this vulnerability to their KEV catalog underscored its serious nature and the need for prompt remediation. 

While timely patching proved to be the most direct solution for this specific vulnerability, implementing robust access controls through tools like Admin By Request EPM can significantly reduce the impact of future vulnerabilities by limiting what attackers can do even if they gain initial access. 

The incident reinforced that security requires multiple defensive layers, as similar authentication bypass flaws continue to appear in various products. Organizations that applied these lessons strengthened their security posture against not just this specific threat, but against similar vulnerabilities that will inevitably emerge in the future.