Ethan Grammer
Guillermo Sánchez / February 28, 2025 / 3 minutes of readingAdvisories, Vulnerabilities & Alerts
Palo Alto Networks Alerts to Active Exploitation of New Firewall Vulnerability
Description: Palo Alto Networks has issued a warning regarding active exploitation of a file read vulnerability, identified as CVE-2025-0111, in its PAN-OS firewalls. This flaw is being combined with two other vulnerabilities—CVE-2025-0108 and CVE-2024-9474—in attacks targeting unpatched systems.
The company initially disclosed the authentication bypass vulnerability CVE-2025-0108 on February 12, 2025, providing patches to address the issue. On the same day, researchers from Assetnote released a proof-of-concept exploit demonstrating how CVE-2025-0108 and CVE-2024-9474 could be chained to gain root privileges on vulnerable PAN-OS firewalls.
Subsequently, threat intelligence firm GreyNoise reported active exploitation attempts originating from multiple IP addresses. The CVE-2024-9474 vulnerability, a privilege escalation flaw in PAN-OS, was previously fixed in November 2024 after being exploited as a zero-day.
The newly highlighted CVE-2025-0111 flaw allows authenticated attackers with network access to the management web interface to read files accessible by the “nobody” user. Palo Alto Networks updated its security bulletin to emphasize that this vulnerability is now being exploited in conjunction with the other two flaws in active attacks.
Recommended Actions:
- Administrators can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses.
- Administrators can check if a device is affected by visiting the following URL: https://security.paloaltonetworks.com/CVE-2025-0111.
External Links:
FBI Warns of new Ransomware Actively Exploiting Organizations
Description: The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) has warned of a new ransomware called the “Ghost Ransomware” has been actively exploited by attackers in over 70 countries. The affected sectors include critical infrastructure, healthcare, government, education, technology, manufacturing, and numerous small and medium-sized businesses. The attackers exploit outdated software and firmware in internet-facing services, leading to widespread breaches. The Ghost ransomware group frequently changes their malware executables, file extensions of encrypted files, ransom note contents, and uses multiple email addresses for ransom communications, resulting in varied attributions over time.
Recommended Actions:
- Ensure that all systems and software are up to date with the most stable release from vendors.
- Take frequent backups of systems to ensure that critical data is readily available in the event of a crisis.
- Implement monitoring of critical infrastructure platforms with alerting configured.
External Links:
Brute Force Attack Uses 2.8 million IPs to target VPN Appliances
Description: A massive brute force attack is currently underway, utilizing nearly 2.8 million unique IP addresses daily to target networking devices from manufacturers such as Palo Alto Networks, Ivanti, and SonicWall. The source IPs from the brute force attack primarily originate from Brazil, with others from Russia, Turkey, Argentina, Morocco, and Mexico. The brute force attacks are originating from MikroTik, Cisco, and Huawei routes, and are targeting VPNs, firewalls, gateways, and other publicly-facing security appliances.
Recommended Actions:
- Change appliance passwords to strong passphrases to make brute force attempts more difficult.
- Update appliances to latest stable release from manufacturer.
- Enable multi-factor authentication where applicable.
External Links: