Palo Alto Networks Firewall Vulnerability Under Attack

Palo Alto Networks Firewalls Under Attack: New Vulnerability Exploited

Palo Alto Networks, a leading U.S. cybersecurity firm, has issued a warning regarding the exploitation of a new security flaw within its firewall software.

Details of the Vulnerability

Hackers are actively leveraging a recently revealed vulnerability present in PAN-OS, the operating system powering Palo Alto Networks firewalls. This confirmation came from the California-based company on Tuesday.

The vulnerability, designated as CVE-2025-0108, was initially identified by the cybersecurity firm Assetnote earlier this month.

Urgent Patching Advised

Palo Alto Networks promptly released an advisory on the same day of discovery, strongly recommending that customers apply necessary patches immediately. An update to this advisory was published on Tuesday, confirming active exploitation of the vulnerability.

Vulnerability Chaining

Attackers are reportedly combining this new vulnerability with two previously disclosed flaws – CVE-2024-9474 and CVE-2025-0111 – to compromise unpatched and insecure PAN-OS web management interfaces.

CVE-2024-9474 has been observed in attacks since November 2024, as previously reported.

While the specific method of chaining these vulnerabilities hasn't been detailed by Palo Alto Networks, the company notes the attack's complexity is considered “low.”

Increased Exploitation Activity

The extent of the exploitation is still being determined. However, threat intelligence company GreyNoise reported a significant increase in activity.

They have observed 25 IP addresses actively exploiting the PAN-OS vulnerability, a rise from just two on February 13th. This indicates a growing trend in exploitation attempts.

GreyNoise has categorized these exploitation attempts as “malicious,” suggesting the involvement of threat actors rather than security researchers.

Impact and Geographic Distribution

The vulnerability allows unauthenticated attackers to execute specific PHP scripts, potentially granting unauthorized access to vulnerable systems, according to GreyNoise.

The highest levels of attack traffic have been detected in the United States, Germany, and the Netherlands.

Currently, the identity of the attackers remains unknown, and it is unclear whether any sensitive data has been compromised.

Government Response

The U.S. government’s cybersecurity agency, CISA, added the latest Palo Alto bug to its Known Exploited Vulnerabilities (KEV) catalog on Tuesday.

This listing signifies the urgency of addressing the vulnerability.