Palo Alto Networks has disclosed a critical vulnerability in its PAN-OS network security operating system, identified as CVE-2025-0108, which allows attackers to bypass authentication on the management web interface. The flaw, given a CVSSv3.1 score of 7.8, stems from weaknesses in the interaction between Nginx and Apache, two core components of PAN-OS’s management interface. This vulnerability enables unauthenticated attackers to execute certain PHP scripts, exposing affected systems to significant risks.
The issue arises from a path confusion and header smuggling problem in Nginx, which proxies requests to Apache. When a request to PAN-OS is processed by Nginx, the X-pan-AuthCheck header, which signals authentication requirements, can be turned off for certain paths like /unauth/. This misconfiguration allows unauthorized access to critical areas of the management interface.
Apache performs internal redirects that improperly decode URLs, enabling attackers to bypass authentication and access sensitive resources.
Exploitation of this vulnerability allows attackers to gain unauthorized access to the PAN-OS management interface without proper credentials. While this does not enable remote code execution directly, the flaw poses severe risks to the confidentiality and integrity of the system, as attackers can interact with sensitive administrative functionalities. A proof-of-concept demonstration showed how an attacker could exploit this flaw by sending a specially crafted request, ultimately receiving a response granting access to restricted resources.
To mitigate this risk, Palo Alto Networks has released patches in various versions of PAN-OS, including 11.2.4-h4, 11.1.6-h1, 10.2.13-h3, and 10.1.14-h9. Users are strongly advised to upgrade their systems to these patched versions or later releases. Additionally, the company recommends restricting access to the management interface by whitelisting trusted internal IP addresses as a best practice. Organizations must act swiftly to patch affected systems and strengthen access controls to prevent potential exploitation.
