Security researchers at Assetnote have discovered a critical authentication bypass vulnerability in Palo Alto Networks' PAN-OS management interface, highlighting potential risks in multi-layered proxy authentication architectures.
The vulnerability tracked as CVE-2025-0108 was found during the team's investigation of previous security patches.
The flaw stems from a complex interaction between Nginx and Apache servers in PAN-OS's management interface architecture. The vulnerability exploits differences in how these servers process URL encoding and path normalization, leading to a complete authentication bypass.
"This is a suspicious and quite common architecture where authentication is enforced at a proxy layer but then the request is passed through a second layer with different behavior," the researchers explained in their detailed analysis. "Fundamentally, these sorts of architectures lead to things like header smuggling and path confusion, which can result in many impactful bugs."
The exploit works by leveraging how Nginx and Apache handle URL-encoded paths differently. When a specially crafted request containing double-encoded path traversal sequences is sent, Nginx processes it one way and sets the authentication check to "off." At the same time, Apache's subsequent processing reveals the actual path after multiple decoding steps.
This disparity allows attackers to bypass authentication controls and access protected resources.
The vulnerability is particularly concerning as it affects the management interface of PAN-OS, which is crucial for firewall configuration and control. The research team discovered this issue while analyzing the fixes for previous vulnerabilities (CVE-2024-0012 and CVE-2024-9474) in the same system.
Palo Alto Networks has patched the vulnerability and recommends that organizations whitelist IPs in the management interface to prevent this and similar vulnerabilities from being exploited over the internet. This incident serves as a reminder of the security challenges in implementing multi-layered authentication systems and the importance of consistent request processing across different web server components.
The discovery also emphasizes the value of post-patch analysis in identifying additional security weaknesses, as demonstrated by Assetnote's proactive approach to supporting its customers' security needs.