Palo Alto Networks has confirmed that a recently patched critical vulnerability in its PAN-OS firewall, tracked as CVE-2025-0108, is being actively exploited by threat actors. The vulnerability, which was disclosed on February 12, allows unauthenticated attackers to bypass authentication mechanisms, granting them access to the firewall’s management interface.
“Palo Alto Networks has observed exploit attempts chaining CVE-2025-0108 with CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces,” the company noted in an updated advisory.
Security researchers at the threat intelligence firm GreyNoise reported the first observed exploitation attempts on February 13. While the exact nature of the exploitation remains unclear, GreyNoise has classified the activity as “malicious.” By Tuesday, February 18, GreyNoise had detected exploit attempts originating from nearly 30 unique IP addresses.
The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-0108 and another flaw impacting SonicWall SonicOS SSLVPN (CVE-2024-53704) to its Known Exploited Vulnerabilities (KEV) catalog.
