Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/screaminggoat/statuses/113992358068909630">screaminggoat (screaminggoat@infosec.exchange)'s status on Thursday, 13-Feb-2025 03:41:54 JST</a><a href="https://infosec.exchange/@screaminggoat" title="screaminggoat@infosec.exchange"><img src="https://gnusocial.jp/avatar/278335-48-20250102170004.webp" width="48" height="48" alt="screaminggoat" style="position: absolute; left: 0; top: 0;">screaminggoat</a><div><a href="https://infosec.exchange/@screaminggoat/113992177119940610" rel="in-reply-to">in reply to</a></div></section><article><p>Assetnote: <a href="https://www.assetnote.io/resources/research/nginx-apache-path-confusion-to-auth-bypass-in-pan-os" rel="nofollow">Nginx/Apache Path Confusion to Auth Bypass in PAN-OS (CVE-2025-0108)</a><br>If I'm reading this correctly, Assetnote dropped vulnerability details and proof of concept for <a href="https://www.cve.org/CVERecord?id=CVE-2025-0108" rel="nofollow">CVE-2025-0108</a> (CVSSv4: 8.8 high) PAN-OS: Authentication Bypass in the Management Web Interface. They are describing this as a zero-day auth bypass, but it should be called "patch bypass." See related PAN <a href="https://security.paloaltonetworks.com/CVE-2025-0108" rel="nofollow">security advisory</a>.</p><p>Fun operational mistake: Assetnote wrote This vulnerability was fixed in versions xx and yy and assigned CVE zz. in their conclusion.</p><p><a href="https://infosec.exchange/tags/paloaltonetworks" rel="tag">#paloaltonetworks</a> <a href="https://infosec.exchange/tags/CVE_2025_0108" rel="tag">#CVE_2025_0108</a> <a href="https://infosec.exchange/tags/infosec" rel="tag">#infosec</a> <a href="https://infosec.exchange/tags/vulnerability" rel="tag">#vulnerability</a> <a href="https://infosec.exchange/tags/cve" rel="tag">#cve</a> <a href="https://infosec.exchange/tags/cybersecurity" rel="tag">#cybersecurity</a> <a href="https://infosec.exchange/tags/poc" rel="tag">#poc</a> <a href="https://infosec.exchange/tags/proofofconcept" rel="tag">#proofofconcept</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4554181#notice-8915723">In conversation</a><time datetime="2025-02-13T03:41:54+09:00" title="Thursday, 13-Feb-2025 03:41:54 JST">about 19 days ago</time> <span>from <span><a href="https://infosec.exchange/@screaminggoat/113992358068909630" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@screaminggoat/113992358068909630">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
screaminggoat (screaminggoat@infosec.exchange)'s status on Thursday, 13-Feb-2025 03:41:54 JST screaminggoat
in reply to
Assetnote: Nginx/Apache Path Confusion to Auth Bypass in PAN-OS (CVE-2025-0108)
If I'm reading this correctly, Assetnote dropped vulnerability details and proof of concept for CVE-2025-0108 (CVSSv4: 8.8 high) PAN-OS: Authentication Bypass in the Management Web Interface. They are describing this as a zero-day auth bypass, but it should be called "patch bypass." See related PAN security advisory.
Fun operational mistake: Assetnote wrote This vulnerability was fixed in versions xx and yy and assigned CVE zz. in their conclusion.
#paloaltonetworks #CVE_2025_0108 #infosec #vulnerability #cve #cybersecurity #poc #proofofconcept
In conversationabout 19 days ago from infosec.exchangepermalink

Public

Embed Notice

HTML Code

Corresponding Notice