In an alarming development, Palo Alto Networks, a leading U.S. cybersecurity firm, has cautioned that a recently disclosed vulnerability in its firewall software is being actively exploited by malicious actors to breach customer networks. The warning comes just weeks after the company urged users to patch the flaw immediately.
The vulnerability, identified as CVE-2025-0108, was discovered by cybersecurity firm Assetnote while investigating two earlier Palo Alto firewall vulnerabilities that had been exploited in previous attacks. Palo Alto Networks swiftly released an advisory and a patch for the bug, but the company has now confirmed that the flaw is under active attack.
Hackers Chaining Multiple Vulnerabilities
According to Palo Alto Networks, attackers are combining CVE-2025-0108 with two previously disclosed vulnerabilities—CVE-2024-9474 and CVE-2025-0111—to target unpatched and unsecured PAN-OS web management interfaces. CVE-2024-9474 has been exploited in attacks since November 2024.
While the company has not provided details on how the three vulnerabilities are being chained together, it has noted that the complexity of the attack is “low,” suggesting that even less-sophisticated hackers could potentially exploit the flaws.
Exploitation Attempts on the Rise
The scale of the exploitation remains unknown, but threat intelligence startup GreyNoise has reported a significant increase in the number of IP addresses actively exploiting the PAN-OS vulnerability. As of February 13, only two IP addresses were observed exploiting the flaw, but this number has since risen to 25.
GreyNoise has flagged the exploitation attempts as “malicious,” indicating that the activity is likely being carried out by threat actors rather than security researchers. The company has observed the highest levels of attack traffic originating from the United States, Germany, and the Netherlands.
“This high-severity flaw allows unauthenticated attackers to execute specific PHP scripts, potentially leading to unauthorized access to vulnerable systems,” GreyNoise stated in a blog post on Tuesday.
Potential Impact and Response
The potential impact of these attacks remains unclear, as it is not yet known whether any sensitive data has been stolen from customers’ networks. Palo Alto Networks has not immediately responded to requests for comment on the matter.
In response to the growing threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the latest Palo Alto bug to its publicly listed Known Exploited Vulnerabilities (KEV) catalog, underscoring the severity of the issue.
As the situation continues to unfold, Palo Alto Networks customers are urged to ensure that their systems are patched and secured against these vulnerabilities to prevent unauthorized access and potential data breaches. The cybersecurity community will be closely monitoring the situation for further developments and any additional guidance from Palo Alto Networks and relevant authorities.
