U.S. cybersecurity giant Palo Alto Networks has warned that hackers are exploiting another vulnerability in its firewall software to break into unpatched customer networks.
Attackers are exploiting a recently disclosed vulnerability in PAN-OS, the operating system that runs Palo Alto Networks firewalls, the California-based company confirmed on Tuesday.
Cybersecurity firm Assetnote first discovered the vulnerability, tracked as CVE-2025-0108, earlier this month while analyzing two earlier Palo Alto firewall vulnerabilities that had been used in earlier attacks.
Palo Alto Networks released an advisory on the same day and urged customers to urgently patch against the latest bug. The company updated its advisory on Tuesday to warn that the vulnerability is under active attack.
The company said malicious attackers are chaining the vulnerability with two previously disclosed flaws — CVE-2024-9474 and CVE-2025-0111 — to target unpatched and unsecured PAN-OS web management interfaces. CVE-2024-9474 has been exploited in attacks since November 2024, we previously reported.
Palo Alto Networks hasn’t explained how the three vulnerabilities are being chained together by hackers, but noted that the complexity of the attack is “low.”
The scale of the exploitation is not yet known, but threat intelligence startup GreyNoise said in a blog post on Tuesday that it has observed 25 IP addresses actively exploiting the PAN-OS vulnerability, up from two IP addresses on February 13, suggesting an uptick in exploitation activity. The exploitation attempts have been flagged by GreyNoise as “malicious,” suggesting that threat actors are behind the exploitation rather than security researchers.
“This high-severity flaw allows unauthenticated attackers to execute specific PHP scripts, potentially leading to unauthorized access to vulnerable systems,” GreyNoise said.
GreyNoise says it has observed the highest levels of attack traffic in the U.S., Germany, and the Netherlands.
It’s not known who is behind these attacks, or whether any sensitive data has been stolen from customers’ networks. Palo Alto Networks did not immediately respond to TechCrunch’s questions.
CISA, the U.S. government’s cybersecurity agency, added the latest Palo Alto bug to its publicly listed Known Exploited Vulnerabilities (KEV) catalog on Tuesday.
