Palo Alto Networks has recently disclosed a critical vulnerability in its PAN-OS network security operating system, tracked as CVE-2025-0108<\/a>, which allows attackers to bypass authentication on the management web interface.\u00a0<\/p>\n This vulnerability, with a CVSSv3.1 score of 7.8, exposes affected systems to significant threats by enabling unauthenticated attackers to invoke certain PHP scripts without proper authorization.\u00a0<\/p>\n The flaw highlights architectural weaknesses in the interaction between Nginx and Apache, two key components of the management interface.<\/p>\n The root cause of CVE-2025-0108 lies in path confusion and header smuggling between Nginx and Apache<\/a>.\u00a0<\/p>\n When a request is sent to the PAN-OS management interface, it is first processed by Nginx, which uses specific headers to enforce authentication.\u00a0<\/p>\n One critical header is X-pan-AuthCheck: on, signaling that authentication is required. However, conditional rules in the Nginx configuration may disable this check for certain paths, such as those matching \/unauth\/:<\/p>\n Nginx proxies the request to Apache, which reprocesses it and applies additional rewrite rules. For example:<\/p>\n According to<\/a> Assetnote researchers, the vulnerability arises due to double URL decoding during Apache\u2019s internal redirection process.\u00a0<\/p>\n A specially crafted request such as \/unauth\/%252e%252e\/php\/ztp_gate.php\/PAN_help\/x.css exploits this behavior.\u00a0<\/p>\n Initially, Nginx decodes %252e%252e into %2e%2e, failing to recognize it as a directory traversal attempt. However, during Apache\u2019s internal redirect, the URL is decoded again into ..\/, allowing unauthorized access to sensitive PHP scripts<\/a> like ztp_gate.php.\u00a0<\/p>\n Since Nginx has already set X-pan-AuthCheck: off, no authentication<\/a> is enforced.<\/p>\n By exploiting this flaw, an attacker can bypass the authentication mechanism entirely and execute PHP scripts within the management interface.\u00a0<\/p>\n While this does not allow remote code execution<\/a> directly, it poses severe risks to the confidentiality and integrity of PAN-OS systems by exposing sensitive administrative functionalities.<\/p>\n A proof-of-concept (PoC) request demonstrates how an attacker could exploit this issue:<\/p>\n The server responds with a 200 OK status, granting unauthorized access to restricted resources.<\/p>\n Palo Alto Networks has addre<\/a>ssed<\/a> this vulnerability in the following versions:<\/p>\n Users are strongly advised to upgrade their PAN-OS installations immediately to these patched versions or newer releases.\u00a0<\/p>\n Additionally, Palo Alto Networks<\/a> recommends restricting access to the management web interface by whitelisting trusted internal IP addresses as a best practice.<\/p>\n Organizations using PAN-OS should act swiftly to patch affected systems and implement robust access controls for their management interfaces to mitigate potential exploitation risks.<\/p>\n PCI DSS 4.0 & Supply Chain Attack Prevention \u2013\u00a0Free Webinar<\/a><\/strong><\/p>\n The post Path Confusion in Nginx\/Apache Leads to Critical Auth Bypass in PAN-OS<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nPath Confusion in Nginx\/Apache<\/strong><\/h2>\n
if ($uri ~ ^\/unauth\/.+$) {\nset $panAuthCheck 'off';\n}<\/pre>\nRewriteRule ^(.*)(\/PAN_help\/)(.*).(css|js|html|htm)$ $1$2$3.$4.gz [QSA,L]<\/pre>\n
Exploitation Impact<\/strong><\/h2>\n
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXeTVm9XrWJmvOM26-TfO0OU07MYTnxgnljuDHvB0f6leNBKp0Nq1AQtaxyuNVGlSeN2NJr2TMs8KPyRA-dK88Cbu6D6W_SVLOlTxR1tdFz2st-r5riwKcVcdyBxX4aMX4O0p-EI4A?key=_uQTdH6mMVlkyBDbFsRzENZ6\")
Mitigation and Recommendations<\/strong><\/h2>\n
\n
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXf88UVivSWymoYH55bX3aDBLyGnDhiLfhU_Vvjc9BHz7gJyWWAvLRRmDulPJsBbNsBK_0xyKtvTUS146uENqTCS2tbkeAYE7IOhTOU-5S2UkDLpbYUCBTUZXywS3HMrd4aUrZprMA?key=_uQTdH6mMVlkyBDbFsRzENZ6\")