Palo Alto Networks PAN-OS - Auth Bypass
Title source: llmExploitation Summary
CVE-2025-0108 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 18, 2025. EIP tracks 7 public exploits from researchers including iSee857, FOLKS-iwd, becrevex. A Nuclei detection template is also available.
AI-analyzed exploit summary This PoC demonstrates an authentication bypass vulnerability in PanOS by exploiting a path traversal flaw in the `/unauth/%252e%252e/php/ztp_gate.php/PAN_help/x.css` endpoint. It checks for the presence of 'Zero Touch Provisioning' in the response to confirm vulnerability.
Description
An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts. While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS. You can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue does not affect Cloud NGFW or Prisma Access software.
Exploits (7)
This PoC demonstrates an authentication bypass vulnerability in PanOS by exploiting a path traversal flaw in the `/unauth/%252e%252e/php/ztp_gate.php/PAN_help/x.css` endpoint. It checks for the presence of 'Zero Touch Provisioning' in the response to confirm vulnerability.
This repository provides a Nuclei template for detecting CVE-2025-0108, an authentication bypass vulnerability in Palo Alto Networks' PAN-OS. The template sends crafted HTTP requests to test for the vulnerability.
This repository provides an Nmap NSE script to scan for CVE-2025-0108 in Palo Alto Networks devices. It does not contain exploit code but serves as a detection tool for vulnerable targets.
This repository contains a Python script that scans for CVE-2025-0108, an authentication bypass vulnerability in Palo Alto PAN-OS. The script checks for the presence of a specific endpoint and response content to determine vulnerability.
This repository contains a Python-based vulnerability scanner for CVE-2025-0108, an authentication bypass flaw in Palo Alto Networks' PAN-OS. The script checks for the presence of 'Zero Touch Provisioning' in the response to a crafted HTTP request, indicating potential vulnerability.
This repository contains a functional PoC for CVE-2025-0108, demonstrating an authentication bypass vulnerability via path confusion and header smuggling in a multi-layer stack (Nginx -> Flask backend -> Apache/PHP). The vulnerable version allows double-encoded paths to bypass authentication, while the fixed version includes backend-side mitigation.
This repository contains a Python script that checks for the CVE-2025-0108 authentication bypass vulnerability in PAN-OS devices by sending a crafted HTTP request and analyzing the response for indicators of vulnerability.
Nuclei Templates (1)
cpe:"cpe:2.3:o:paloaltonetworks:pan-os" || http.favicon.hash:"-631559155"
icon_hash="-631559155"
References (8)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N