CISA Warns: Actively Exploited Palo Alto Firewall Vulnerabilities Urge Immediate Patching
The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-0108 to its Known Exploited Vulnerabilities (KEV) catalog on February 18, following a surge in attacks exploiting this high-severity issue in Palo Alto Networks' firewall appliances. Patches were released earlier, but threat actors have quickly adapted, leading to a significant increase in exploitation attempts.
Palo Alto Networks released patches for CVE-2025-0108 and CVE-2025-0111 on February 12, 2025. However, within days, threat actors began exploiting CVE-2025-0108, with initial attempts coming from two IP addresses. By February 18, the number of IP addresses targeting this vulnerability had increased to 25.
The vulnerabilities, including CVE-2024-9474, are being chained together in attacks. A proof-of-concept exploit for this chaining was published on February 12. CVE-2025-0108 and CVE-2025-0111 are high-severity issues with CVSS scores of 8.8 and 7.1 respectively, while CVE-2024-9474 has a score of 6.9. Despite the severity, there's no specific information on German organizations being actively targeted.
With threat actors actively exploiting three vulnerabilities in unpatched Palo Alto Networks firewall appliances simultaneously, organizations are urged to apply the available patches immediately to mitigate the risk of successful attacks. CISA's addition of CVE-2025-0108 to its KEV catalog underscores the importance of prompt action.
