Palo Alto Networks has addressed a high-severity vulnerability in the PAN-OS management interface that could lead to authentication bypass.
The flaw, tracked as CVE-2025-0108, has a CVSS-B score of 8.8 and can enable an unauthenticated attacker with network access to the PAN-OS management web interface to bypass authentication and invoke certain PHP scripts.
While exploiting the flaw could impact integrity and confidentiality within PAN-OS, it does not enable attackers to achieve arbitrary remote code execution (RCE), Palo Alto noted in its advisory published Wednesday. There is no indication that CVE-2025-0108 has been exploited in the wild.
The vulnerability is fixed in PAN-OS versions 10.1.14-h9, 10.2.13-h3, 11.1.6-h1 and 11.2.4-h4 and affects all versions of PAN-OS 10.1, 10.2, 11.1 and 11.2 prior to the fixed versions. It does not impact Cloud NGFW and Prisma Access software.
CVE-2025-0108 was discovered by Assetnote, which is a part of Searchlight Cyber; Assetnote analysts found the flaw while examining the patches for previous PAN-OS flaws CVE-2024-0012 and CVE-2024-9474, which were exploited in the wild.
Investigating the architecture underlying the PAN-OS management interface led to the discovery that a path confusion flaw between Nginx and Apache components could lead to authentication bypass, Assetnote researchers said in a blog post Wednesday.
When a web request is sent to the PAN-OS management interface, it is first processed by the Nginx reverse proxy. At this point, several HTTP headers are set, including the X-pan-AuthCheck header that indicates whether or not authentication is needed based on location checks by Nginx.
The request then goes to Apache, which renormalizes and reprocesses the request and may rewrite the request URL based on certain rules, Assetnote researchers explained. The researchers noted that Apache performs an internal redirect when a URL is rewritten and then reprocesses it as though it were a new request, newly decoding the URL each time.
The way Apache handles these rewrites and redirects may lead it to decode and reprocess a URL more than once, whereas Nginx will only decode it once. This discrepancy can lead Nginx and Apache to interpret the same request differently, with Nginx determining no authentication is needed while Apache eventually passes along a sensitive request that should have required authentication.
An attacker could exploit this flaw by crafting a request that includes multiple layers of encoding, such that Nginx will set the header “X-pan-AuthCheck: off” but Apache will ultimately decode and renormalize it to invoke the targeted PHP script.
Palo Alto Networks notes that the flaw’s severity drops from a high CVSS-B score of 8.8 to a medium score of 5.9 if access to the PAN-OS management interface is restricted to whitelisted IP addresses only. With these restrictions set, an attacker would first need to gain control of the trusted IP addresses in order to complete the exploit.
