Update: February 18, 2025
- GreyNoise now sees 25 malicious IPs actively exploiting CVE-2025-0108, up from 2 on February 13.
- Top 3 source countries of attack traffic: United States, Germany, Netherlands.
- Palo Alto Networks confirmed active exploitation and classified the CVE as ‘Highest Urgency’ for defenders.
CISA added CVE-2025-0108 to its Known Exploited Vulnerabilities (KEV) catalog.
GreyNoise has observed active exploitation attempts targeting a newly disclosed authentication bypass vulnerability, CVE-2025-0108, affecting Palo Alto Networks PAN-OS. This high-severity flaw allows unauthenticated attackers to execute specific PHP scripts, potentially leading to unauthorized access to vulnerable systems.
Active Exploitation Detected in the Wild
GreyNoise can confirm active exploitation of CVE-2025-0108.
Organizations relying on PAN-OS firewalls should assume that unpatched devices are being targeted and take immediate steps to secure them.
Mitigation Steps: Act Now
Defenders should take the following steps immediately:
- Apply security patches for PAN-OS as soon as possible.
- Restrict access to firewall management interfaces — ensure they are not publicly exposed.
- Monitor active exploitation trends with GreyNoise’s CVE-2025-0108 tag.
GreyNoise will continue tracking this threat as it evolves. Stay ahead of exploitation attempts by leveraging GreyNoise’s real-time intelligence.
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
