Just a day after a cybersecurity firm disclosed details about a now-patched Palo Alto Networks firewall vulnerability, exploitation attempts came in from at least five unique IPs. The vulnerability tracked as CVE-2025-0108 can give an attacker access to the firewall’s management interface and run arbitrary PHP scripts if exploited.
The bug was first disclosed by Assetnote researchers, who responsibly reported it to Palo Alto Networks. On February 12, the company released patches and mitigations for the issue, and shortly after, Assetnote released technical details of the vulnerability. GreyNoise detected exploitation attempts targeting the bug the following day, as reported by SecurityWeek.
Usually, when there’s a spike in exploitation attempts after a vulnerability gets disclosed, a good number of them are security researchers testing potentially vulnerable systems. However, the security firm has dubbed these exploitation attempts malicious, meaning they’re likely coming from threat actors looking to breach any unpatched, vulnerable targets.
CVE-2025-0108 needs to be chained with another vulnerability for remote code execution. One potential fit is CVE-2024-9474, an actively exploited vulnerability patched in November 2024. Another authentication bypass bug, CVE-2024-0012, was also actively exploited at the same time. There’s a likelihood that hackers working with these bugs might have adapted their exploits to target the new vulnerability and, hence, didn’t need Assetnote’s report. Regardless, releasing technical details immediately after a vulnerability is patched isn’t a good idea.
Palo Alto Networks’ patch notes for CVE-2025-0108 haven’t been updated to reflect any exploitation attempt, indicating that the company isn’t aware of any in-the-wild exploitation attempt. The vulnerability itself has a moderate urgency rating assigned to it by the company despite being a high-severity bug with a CVSS score of 7.8.
In the News: UK urged to drop encryption backdoor demand from Apple
