- Palo Alto Networks warns a continuous attack against his firewalls
- The actors of the threat are joining multiple defects
- The goal is to download configuration files
Palo Alto Networks has warned its users a continuous attack that joins multiple vulnerabilities to download configuration files and other confidential information.
The cyber security company warned its users about CVE-2025-0111, a 7.1/10 file (high severity) vulnerability reading that plagues the Pan-Os Firewalls. This error allows an authenticated attacker with access to the network to access the administration web interface and read files generally legible by the user “nobody.”
The error was solved on February 12, 2025, when Palo Alto launched a solution and urged users to apply it.
Deviation
The same day, the company approached a separate vulnerability, tracked as CVE-2025-0108. This is an authentication bypass in PAN-OS that allows an attacker not authenticated with access to the network to the web interface to avoid the authentication required by the PAN-OS interface and invoke certain PHP scripts.
Finally, in mid-November 2024, Palo Alto solved a privileged climbing error traced as CVE-20204-9474. Now, researchers say that these three are being chained in ongoing attacks.
“Palo Alto Networks has observed the exploits attempts of CVE-2025-0108 with CVE-2024-9474 and CVE-2025-0111 in web management interfaces PAN -OS not followed and not guaranteed”, it was said in the security notice .
The company did not discuss the details of the attack, but Bleepingcomputer They discovered that they are being used to download configuration files and other confidential information.
Until now, at least 25 different IP addresses were observed aimed at CVE-2025-0108, compared to only two one week. The main sources of attacks seem to be the United States, Germany and the Netherlands, although this does not necessarily mean that threat actors are there.
While the community hastened to apply the patch and mitigate the potential risks, the United States cybersecurity and infrastructure security agency (CISA) has added CVE-2025-0108 to its catalog of ‘exploited vulnerabilities’ (KEV) ( KEV), which gives users until March 11. .
