PAN-OS Management Interface Authentication Bypass (CVE-2025-0108)
Description
PAN-OS management interface contains an authentication bypass vulnerability caused by inconsistent URL path processing between Nginx (reverse proxy) and Apache (backend server). Attackers can exploit this path confusion by combining double URL encoding with directory traversal sequences to access protected administrative endpoints. The vulnerability circumvents authentication controls that rely on the X-pan-AuthCheck header, allowing unauthenticated remote attackers to access the management interface without valid credentials.
Remediation
Apply security patches immediately by upgrading PAN-OS to a fixed version as specified in the vendor advisory at https://security.paloaltonetworks.com/CVE-2025-0108. Until patching is complete, implement the following interim mitigations: (1) Restrict management interface access to trusted IP addresses only using firewall rules or access control lists, (2) Disable management interface access from untrusted networks, particularly the internet, (3) Enable multi-factor authentication for all administrative accounts, (4) Monitor authentication logs for suspicious access patterns or unexpected administrative sessions. Verify the patch installation by testing authentication controls and reviewing system logs for any indicators of prior exploitation.