The Palo Alto Network, a US cybersecurity giant, warns that hackers are leveraging another vulnerability in their firewall software to infiltrate unpublished customer networks.
The attackers are leveraging a recently disclosed vulnerability in Pan-OS, the operating system that runs the Palo Alto Networks firewall, the California-based company confirmed Tuesday.
Cybersecurity company AssetNote discovered a vulnerability that was tracked earlier this month as CVE-2025-0108, and analyzed two previous Palo Alto Firewall vulnerabilities that were used in previous attacks.
Palo Alto Networks released an advisory on the same day, urging customers to urgently patch the latest bug. The company updated its advisors on Tuesday to warn that the vulnerability is under aggressive attack.
The company said malicious attackers are checking vulnerabilities in two previously disclosed defects: CVE-2024-9474 and CVE-2025-0111. CVE-2024-9474 has been misused in attacks since November 2024.
Palo Alto Networks does not explain how the three vulnerabilities are chained by hackers, but noted that the attacks are “low” complexity.
The scale of exploitation is still unknown, but in a blog post on Tuesday, threat intelligence startup Greynoise said it was a 25-year-old that actively exploited PAN-OS vulnerabilities from two IP addresses on February 13. He said he observed that IP addresses are being used actively, suggesting an increase. Exploitation activities. The attempts to exploit were flagged as “malicious” by Greynoise, suggesting that threat actors are behind the exploitation, not security researchers.
“This high-deficiency flaw allows rogue attackers to run certain PHP scripts, which could lead to unauthorized access to vulnerable systems,” says Greynoise.
Greynoise says he has observed the highest levels of attack traffic in the US, Germany and the Netherlands.
It is unclear whether sensitive data has been stolen from the person behind these attacks or the customer's network. Palo Alto Networks did not respond immediately to TechCrunch questions.
CISA, the US government's cybersecurity agency, added the latest Palo Alto bug to its known known exploit vulnerabilities (KEV) catalog released Tuesday.