Palo Alto Networks, a leading U.S. cybersecurity firm, has issued a warning that hackers are taking advantage of a newly identified vulnerability in its firewall software to infiltrate networks of customers who have yet to implement the necessary patches.
The company confirmed on Tuesday that attackers are leveraging a recently identified security flaw in PAN-OS, the operating system that powers Palo Alto Networks firewalls.
The vulnerability, designated CVE-2025-0108, was first uncovered by cybersecurity company Assetnote earlier this month during their investigation of two previous Palo Alto firewall vulnerabilities involved in earlier attacks.
On the same day of the disclosure, Palo Alto Networks published an advisory urging its clients to swiftly patch the newly revealed flaw. The firm updated its advisory on Tuesday to indicate that the vulnerability is currently under active exploitation.
According to the company, cybercriminals are combining this vulnerability with two other previously reported flaws—CVE-2024-9474 and CVE-2025-0111—to target insecure and unpatched web management interfaces of PAN-OS. The CVE-2024-9474 vulnerability has been actively exploited since November 2024, as previously reported.
While Palo Alto Networks has not elaborated on how these three vulnerabilities are being exploited together, they mentioned that the overall complexity of the attack is considered “low.”
The extent of the ongoing exploitation remains unclear, but threat intelligence firm GreyNoise observed in a blog post on Tuesday that 25 distinct IP addresses were actively engaging in exploiting the PAN-OS vulnerability; this is an increase from two IP addresses on February 13, implying a rise in exploitation activity. These exploitation attempts have been characterized by GreyNoise as “malicious,” indicating potential involvement from threat actors rather than security researchers.
“This critical flaw enables unauthenticated attackers to execute specific PHP scripts, which may result in unauthorized access to vulnerable systems,” stated GreyNoise.
GreyNoise further reported that the highest levels of attack traffic have been observed coming from the U.S., Germany, and the Netherlands.
At this time, it remains uncertain who is orchestrating these attacks or if any sensitive information has been compromised from customer networks. Palo Alto Networks did not promptly respond to inquiries from TechCrunch.
On Tuesday, CISA, the U.S. government’s cybersecurity agency, included the latest Palo Alto vulnerability in its publicly available Known Exploited Vulnerabilities (KEV) catalog.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
