Active Exploits Target Unpatched Palo Alto Networks Firewalls
Cybersecurity firm Assetnote has published a proof-of-concept exploit for chaining two critical vulnerabilities, CVE-2025-0108 and CVE-2024-9474, affecting unpatched Palo Alto Networks firewall appliances. Hackers have started exploiting these flaws simultaneously, raising concerns about the security of these devices.
Palo Alto Networks has confirmed that threat actors are exploiting three vulnerabilities - CVE-2025-0108, CVE-2025-0111, and CVE-2024-9474 - in unpatched PAN-OS web management interfaces. The exploit chain was first detected on February 19, just days after Assetnote's publication and Palo Alto's disclosure of the vulnerabilities and patches on February 12.
The vulnerabilities include an authentication bypass (CVE-2025-0108) and an authenticated file read (CVE-2025-0111), both rated high severity with CVSS scores of 8.8 and 7.1 respectively. The third vulnerability, CVE-2024-9474, is a privilege escalation issue with a CVSS score of 6.9 and was fixed in November 2024. CISA added CVE-2025-0108 to its Known Exploited Vulnerabilities catalog on February 18.
Organizations are urged to patch their Palo Alto Networks firewall appliances immediately to protect against these active exploits. While the specific threat actors remain unidentified, the simultaneous exploitation of these vulnerabilities highlights the importance of timely patch management to mitigate potential security risks.
