Likelihood: HIGH
Impact: VERY HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is high because CVE-2025-0108 carries an EPSS of 0.94 (99th percentile), confirmed active exploitation has been observed across multiple attack waves, and internet-exposed GlobalProtect management interfaces represent a large, identifiable attack surface with no credential requirement for exploitation. Impact is very_high because a successful bypass compromises the primary remote-access perimeter control, granting unauthenticated network entry that enables lateral movement, data exfiltration, or ransomware deployment — consequences that are operational, financial, and reputational in scope.
Treatment rationale: Immediate patching and management-interface access restriction are available, effective, and proportionate to the severity and active-exploitation status — avoidance is not viable for organizations dependent on GlobalProtect for remote access, and accepting or transferring a risk with confirmed active exploitation at this impact level is not defensible.
Third-Party / Supply-Chain Risk
Organizations that rely on Palo Alto Networks as a managed security service provider (MSSP) or that share PAN-OS infrastructure across business units or subsidiaries face compounded exposure: a single unpatched shared gateway can serve as an entry point across multiple tenants or organizational segments. Additionally, enterprises that have outsourced firewall or VPN management to third-party providers should verify patch status and interface exposure independently, as they cannot assume vendor-managed infrastructure has been remediated (NIST SP 800-161 Tier 3 — system and services acquisition level).
Loss Exposure (illustrative)
Magnitude: very high — illustrative range $500K–$10M+ depending on whether exploitation leads to ransomware deployment, data exfiltration, or prolonged dwell time before detection
Frequency: For an organization with an internet-exposed, unpatched GlobalProtect management interface during an active exploitation wave, illustrative threat event frequency is elevated — multiple opportunistic threat actors are actively scanning and exploiting; exposure window before incident is measured in days, not weeks
Annualized: Illustrative ALE framing: if an exposed organization faces a meaningful probability of a compromise event within a 12-month window given current active exploitation, and loss magnitude per event ranges from $500K to $10M+, annualized loss exposure is material and likely exceeds the cost of immediate remediation by one to two orders of magnitude
Basis: Loss magnitude driven by: incident response and forensics costs for a network-level perimeter breach, potential ransomware recovery costs (restoration, business interruption), regulatory notification costs if PII or regulated data is accessed, and reputational consequences of a perimeter control failure. Frequency driven by: confirmed active exploitation campaigns, high EPSS score indicating real-world weaponization, and the broad installed base of PAN-OS in enterprise environments. No third-party actuarial source cited.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• If exploitation results in unauthorized access to personal data, state and federal breach-notification obligations may be triggered — verify with counsel.
• Active exploitation of a known critical vulnerability prior to patching may affect cyber-insurance claim eligibility or invoke policy conditions related to failure to apply available patches within a reasonable timeframe — verify with broker and review policy language.
• If the organization is subject to HIPAA, PCI-DSS, or similar regulated-data frameworks and the management interface is within scope, regulatory notification or reporting obligations may apply — verify with counsel.
