Description

A vulnerability exists in the PAN-OS management interface due to discrepancies in path processing between Nginx and Apache. The flaw allows an attacker to exploit a path confusion weakness using double URL encoding combined with directory traversal. This bypasses authentication checks enforced by the X-pan-AuthCheck header. A successful exploit grants unauthorized access to the administrative interface, potentially compromising the firewall management system.

Remediation

Upgrade to the latest version of Palo Alto PAN-OS.

References

Technical Analysis of PAN-OS Authentication Bypass (CVE-2025-0108)

CVE-2025-0108 PAN-OS: Authentication Bypass in the Management Web Interface

Related Vulnerabilities

WordPress Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2016-6635)

Oracle Database Server CVE-2019-2940 Vulnerability (CVE-2019-2940)

Grafana Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2024-10452)

PrestaShop Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-5278)

qdPM Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2020-11811)

Severity

Critical

Classification

CVE-2025-0108 CWE-287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Tags

Authentication Bypass Known Vulnerabilities Code Execution