H-ISAC TLP White Threat Bulletin Palo Alto PAN-OS Firewall Flaw CVE-2025-0111 Used in Exploit Chaining Attacks

Palo Alto recently disclosed that PAN-OS firewalls vulnerable to CVE-2025-0111 are being used in exploit chain attacks.

In these attacks, CVE-2025-0111 is chained with CVE-2025-0108 and CVE-2024-9474, for which Palo Alto released patches in February 2025 and November 2024, respectively.

Despite fixes also being released for CVE-2025-0111 in February 2025, Palo Alto updated a previously distributed after observing threat actors chaining it with CVE-2025-0108 and CVE-2024-9474 in exploit attempts on unpatched and unsecured PAN-OS web management interfaces.

Successful exploitation of CVE-2025-0111 allows unauthenticated threat actors with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the 鈥渘obody鈥 user. Health-ISAC previously released an in which threat actors were chaining CVE-2025-0108 and CVE-2024-9474 to exploit vulnerable PAN-OS firewalls. 

View the detailed report below.

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

National Advisor for Cybersecurity and Risk, AHA

jriggi@aha.org

(O) +1 202 626 2272

More on John Riggi
Learn more about AHA's Cybersecurity and Risk Advisory Services

Key Resources

Related Resources

Special Bulletin
UPDATE: AHA and Health-ISAC Threat Advisory: FBI Advises No Specific Credible Threat Targeting Hospitals
Public
Special Bulletin
AHA and Health-ISAC Bulletin on Threat to Hospitals
Member
AHA Center for Health Innovation Market Scan
Rural Hospitals Move to Enhance Cybersecurity
Advancing Health Podcast
Critical Condition: Cybersecurity in Rural Hospitals with Microsoft Part 2
Advancing Health Podcast
Critical Condition: Cybersecurity in Rural Hospitals with Microsoft Part 1
Public
Guides/Reports
Change Healthcare Cyberattack Underscores Urgent Need to Strengthen Cyber Preparedness for Individual Health Care Organizations and as a Field
Public