FlagThis - #pan-os

Palo Alto Networks has issued a warning regarding brute-force login attempts targeting PAN-OS GlobalProtect gateways. This comes after security researchers observed a surge in suspicious scanning activity directed at these portals. While Palo Alto Networks has confirmed the observation of password-related attacks, they emphasize that there is no evidence of any vulnerability exploitation at this time. The company is actively monitoring the situation and analyzing the reported activity to determine its potential impact and assess the need for mitigations.

Threat intelligence firm GreyNoise reported that this activity began around March 17, 2025, with a peak of nearly 24,000 unique IP addresses involved in the scanning before the numbers dropped toward the end of the month. This pattern suggests a coordinated effort to probe network defenses and potentially identify systems that may be exposed or vulnerable. The scanning activity primarily targeted systems located in the United States, the United Kingdom, Ireland, Russia, and Singapore.

Palo Alto Networks urges customers to implement several mitigation strategies to defend against potential brute-force attacks. These recommendations include ensuring that systems are running the latest versions of PAN-OS, enforcing multi-factor authentication (MFA), configuring GlobalProtect to facilitate MFA notifications, setting up security policies to detect and block brute-force attacks, and limiting unnecessary exposure to the internet. The security community continues to monitor the situation, emphasizing the importance of proactive security measures to protect against credential compromise.


References :

• securityaffairs.com: Palo Alto warns of brute-force login attempts on PAN-OS GlobalProtect gateways indicating possible upcoming attacks
• The Hacker News: Palo Alto Networks Warns of Brute-Force Attempts Targeting PAN-OS GlobalProtect Gateways
• www.scworld.com: Palo Alto confirms brute-force attacks on PAN-OS GlobalProtect gateways
• aboutdfir.com: Palo Alto Networks Warns of Brute-Force Attempts Targeting PAN-OS GlobalProtect Gateways
• bsky.app: Palo Alto warns of brute-force login attempts on PAN-OS GlobalProtect gateways indicating possible upcoming attacks buff.ly
• aboutdfir.com: Palo Alto Networks Warns of Brute-Force Attempts Targeting PAN-OS GlobalProtect Gateways

Classification:

• HashTags: #PaloAltoNetworks #PAN-OS #GlobalProtect
• Company: Palo Alto Networks
• Target: PAN-OS GlobalProtect gateways
• Product: PAN-OS GlobalProtect
• Feature: Brute-force attacks
• Type: Hack
• Severity: Medium

Active exploitation of a high-severity authentication bypass vulnerability, CVE-2025-0108, affecting Palo Alto Networks PAN-OS is being observed. GreyNoise has confirmed live attacks on PAN-OS firewalls. This flaw allows unauthenticated attackers to access the management web interface and execute specific PHP scripts, potentially leading to unauthorized access. Organizations relying on PAN-OS firewalls should assume that unpatched devices are being targeted.

To mitigate this threat, defenders should apply security patches for PAN-OS as soon as possible and restrict access to firewall management interfaces, ensuring they are not publicly exposed. It is recommended to monitor active exploitation trends and leverage real-time threat intelligence to stay ahead of exploitation attempts. Researchers have noted that the vulnerability is trivial to exploit, increasing the potential for widespread abuse.


References :

• The GreyNoise Blog: GreyNoise Observes Active Exploitation of PAN-OS Authentication Bypass Vulnerability (CVE-2025-0108)
• GreyNoise: 🚨 CVE-2025-0108 is being actively exploited! 🚨 GreyNoise sees live attacks on PAN-OS firewalls.
• Blog: New Palo Alto vulnerability with active exploit attempts discovered
• veriti.ai: CVE-2025-0108: Active Exploits Targeting Palo Alto PAN-OS – What You Need to Know
• securityaffairs.com: Threat actors are exploiting a recently disclosed vulnerability, tracked as CVE-2025-0108, in Palo Alto Networks PAN-OS firewalls.
• Glenn ?: & - it took no time for the POC of CVE-2025-0108 (PAN-OS Authentication Bypass) to start being fired off across the internet. We're back-processing some data now to pick up some prior exploitation as well.
• socradar.io: Palo Alto Firewall Vulnerability (CVE-2025-0108) Under Attack – Are You at Risk?
• VERITI: CVE-2025-0108: Active Exploits Targeting Palo Alto PAN-OS – What You Need to Know
• securityadvisories.paloaltonetworks.com: Authentication Bypass in PAN-OS Management Web Interface Allows Unauthorized Access
• BleepingComputer: Hackers are launching attacks against Palo Alto Networks PAN-OS firewalls by exploiting a recently fixed vulnerability (CVE-2025-0108) that allows bypassing authentication.
• The Hacker News: CISA Adds Palo Alto Networks and SonicWall Flaws to Exploited Vulnerabilities List
• www.csoonline.com: Hackers gain root access to Palo Alto firewalls through chained bugs
• securityaffairs.com: U.S. CISA adds SonicWall SonicOS and Palo Alto PAN-OS flaws to its Known Exploited Vulnerabilities catalog
• securebulletin.com: Critical Palo Alto Firewall flaw under active attack: Patch NOW!
• aboutdfir.com: Palo Alto Networks warns that a file read vulnerability (CVE-2025-0111) is now being chained in attacks with two other flaws (CVE-2025-0108 with CVE-2024-9474) to breach PAN-OS firewalls in active attacks.
• Secure Bulletin: Critical Palo Alto Firewall flaw under active attack: Patch NOW!
• techcrunch.com: Palo Alto Networks warns that hackers are exploiting another vulnerability in its firewall software to break into unpatched customer networks

Classification:

• HashTags: #vulnerability #PAN-OS #activeexploitation
• Company: Palo Alto Networks
• Target: PAN-OS users
• Product: PAN-OS
• Feature: Authentication Bypass
• Malware: CVE-2025-0108
• Type: Vulnerability
• Severity: Critical