CVE-2025-0108 PAN-OS Auth Bypass - Back from the Dead

July 2025 by CrowdSec

The CrowdSec Network has detected a wave of exploitation attempts targeting CVE-2025-0108 in Palo Alto Networks PAN-OS. PAN-OS is a custom operating system developed by Palo Alto Networks that runs their firewalls. PAN-OS is responsible for managing all core firewall functions, including traffic classification, threat prevention, application control, and user identification. It enables security policies that go beyond the traditional port-based rules provided by firewalls such as ip-tables, using deep packet inspection and other advanced techniques to enforce granular, context-aware controls across the network. Due to the role PAN-OS plays in a customers layered defence strategy, vulnerabilities in PAN-OS present a significant danger.

Key findings

• CrowdSec discovered a novel campaign targeting CVE-2025-0108 starting on June 27th.

• This new campaign highlights the importance of keeping tabs on n-day vulnerabilities.

About the exploit

The vulnerability this newsletter is about was disclosed by Palo Alto Networks on February 12th of this year, with a proof-of-concept attack made public on the same day. It allows unauthenticated attackers to bypass the authentication otherwise required by the PAN-OS web interface and invoke a number of exposed PHP scripts. The vulnerability affects different versions of PAN-OS, up to version 11.2.4.

CrowdSec previously published a threat report about this vulnerability after a massive campaign targeted the exploit in March of this year. The attack then died down, and we expected it to stay that way, considering the vendor had already patched the vulnerability and the vulnerability itself was not severe enough to warrant addition to botnets that make up a large fraction of internet background noise.

...