Palo Alto Firewalls Face Triple Threat: CISA Warns of Active Exploits
Cybersecurity threats have escalated as hackers exploit three vulnerabilities in unpatched Palo Alto Networks firewall appliances simultaneously. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-0108 to its Known Exploited Vulnerabilities (KEV) catalog on February 18, highlighting the urgency of the situation.
The vulnerabilities include CVE-2025-0108 (authentication bypass), CVE-2025-0111 (authenticated file read), and CVE-2024-9474 (privilege escalation), with CVSS scores ranging from 6.9 to 8.8. Palo Alto Networks released patches on February 12 but warned of a low-complexity attack chain on February 19. GreyNoise observed an increase in IP addresses targeting CVE-2025-0108, rising from two on February 13 to 25 by February 18. Threat actors began actively exploiting CVE-2025-0108 shortly after a proof-of-concept was published, with attempts coming from two IP addresses.
Palo Alto Networks is known for reacting swiftly to security issues, and users are advised to install the available updates immediately. Regular monitoring of threat intelligence channels, such as Palo Alto Networks Threat Intelligence, CISA, and BSI, is recommended to stay informed about active threats.
While there are no officially confirmed reports of known organizations or targeted actors exploiting the latest CVEs in Palo Alto Networks firewall appliances, the increasing activity around CVE-2025-0108 serves as a reminder to remain vigilant. Users should prioritize patch management and maintain robust intrusion detection mechanisms to protect their networks.
