Path Confusion in Nginx/Apache Leads to Critical Auth Bypass in PAN-OS
Palo Alto Networks has recently disclosed a critical vulnerability in its PAN-OS network security operating system, tracked as CVE-2025-0108, which allows attackers to bypass authentication on the management web interface. This vulnerability, with a CVSSv3.1 score of 7.8, exposes affected systems to significant threats by enabling unauthenticated attackers to invoke certain PHP scripts without proper […] The post Path Confusion in Nginx/Apache Leads to Critical Auth Bypass in PAN-OS appeared first on Cyber Security News.
Palo Alto Networks has recently disclosed a critical vulnerability in its PAN-OS network security operating system, tracked as CVE-2025-0108, which allows attackers to bypass authentication on the management web interface.
This vulnerability, with a CVSSv3.1 score of 7.8, exposes affected systems to significant threats by enabling unauthenticated attackers to invoke certain PHP scripts without proper authorization.
The flaw highlights architectural weaknesses in the interaction between Nginx and Apache, two key components of the management interface.
Path Confusion in Nginx/Apache
The root cause of CVE-2025-0108 lies in path confusion and header smuggling between Nginx and Apache.
When a request is sent to the PAN-OS management interface, it is first processed by Nginx, which uses specific headers to enforce authentication.
One critical header is X-pan-AuthCheck: on, signaling that authentication is required. However, conditional rules in the Nginx configuration may disable this check for certain paths, such as those matching /unauth/:
if ($uri ~ ^\/unauth\/.+$) {
set $panAuthCheck 'off';
}
Nginx proxies the request to Apache, which reprocesses it and applies additional rewrite rules. For example:
RewriteRule ^(.*)(\/PAN_help\/)(.*)\.(css|js|html|htm)$ $1$2$3.$4.gz [QSA,L]
According to Assetnote researchers, the vulnerability arises due to double URL decoding during Apache’s internal redirection process.
A specially crafted request such as /unauth/%252e%252e/php/ztp_gate.php/PAN_help/x.css exploits this behavior.
Initially, Nginx decodes %252e%252e into %2e%2e, failing to recognize it as a directory traversal attempt. However, during Apache’s internal redirect, the URL is decoded again into ../, allowing unauthorized access to sensitive PHP scripts like ztp_gate.php.
Since Nginx has already set X-pan-AuthCheck: off, no authentication is enforced.
Exploitation Impact
By exploiting this flaw, an attacker can bypass the authentication mechanism entirely and execute PHP scripts within the management interface.
While this does not allow remote code execution directly, it poses severe risks to the confidentiality and integrity of PAN-OS systems by exposing sensitive administrative functionalities.
A proof-of-concept (PoC) request demonstrates how an attacker could exploit this issue:
The server responds with a 200 OK status, granting unauthorized access to restricted resources.
Mitigation and Recommendations
Palo Alto Networks has addressed this vulnerability in the following versions:
- PAN-OS 11.2: Fixed in 11.2.4-h4 and later.
- PAN-OS 11.1: Fixed in 11.1.6-h1 and later.
- PAN-OS 10.2: Fixed in 10.2.13-h3 and later.
- PAN-OS 10.1: Fixed in 10.1.14-h9 and later.
Users are strongly advised to upgrade their PAN-OS installations immediately to these patched versions or newer releases.
Additionally, Palo Alto Networks recommends restricting access to the management web interface by whitelisting trusted internal IP addresses as a best practice.
Organizations using PAN-OS should act swiftly to patch affected systems and implement robust access controls for their management interfaces to mitigate potential exploitation risks.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar
The post Path Confusion in Nginx/Apache Leads to Critical Auth Bypass in PAN-OS appeared first on Cyber Security News.
