- Palo Alto Networks warns an attack in progress against his firewalls
- The actors of the threat continue several faults together
- The goal is to download configuration files
Palo Alto Networks has warned its users of an in progress attack which writes several vulnerabilities to download configuration files and other sensitive information.
The Cybersecurity Company warned its users of CVE-2025-0111, a file 7.1 / 10 (high severity) read vulnerability distressing the pan-os fire. This bug allows an authenticated attacker with network access to access the management web interface and read files generally read by the user “person”.
The bug was corrected on February 12, 2025, when Palo Alto published a correction and urged users to apply it.
Derivation
On the same day, the company approached a distinct vulnerability, followed as CVE-2025-0108. This is an authentication bypass in Pan-os which allows an unauthenticated attacker with network access to the web interface to bypass authentication otherwise required by the Pan-OS interface, and invoke certain PHP scripts.
Finally, in mid-November 2024, Palo Alto corrected a privilege climbing bug followed as CVE-20104-9474. Now the researchers say that these three are chained in current attacks.
“Palo Alto Networks observed attempts at CVE-2025-0108 chain operating attempts with CVE-2024-9474 and CVE-2025-0111 on Pan-OS Non-guaranteed and not guaranteed web management interfaces,” He was in the security notice.
The company has not discussed the details of the attack, but Bleeping Compompute have found that they are used to download configuration files and other sensitive information.
Until now, at least 25 different IP addresses have been observed targeting the CVE-2025-0108, against only two a week ago. The main sources of attacks seem to be the United States, Germany and the Netherlands, although this does not necessarily mean that threat actors are located there.
While the community rushes to apply the patch and alleviate potential risks, the American cybersecurity and infrastructure agency (CISA) added CVE-2025-0108 to its known “KEV) catalog (KEV) , giving users until March 11 to repair.
