Palo Alto Networks Security Advisories / CVE-2025-0116

CVE-2025-0116 PAN-OS: Firewall Denial of Service (DoS) Using a Specially Crafted LLDP Frame

Urgency MODERATE

047910
Severity 4.3 · MEDIUM
Exploit Maturity UNREPORTED
Response Effort MODERATE
Recovery USER
Value Density CONCENTRATED
Attack Vector ADJACENT
Attack Complexity LOW
Attack Requirements NONE
Automatable NO
User Interaction ACTIVE
Product Confidentiality NONE
Product Integrity NONE
Product Availability HIGH
Privileges Required NONE
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability NONE
CVE JSON CSAF
Published 2025-03-12
Updated 2025-04-04
Reference PAN-271351
Discovered externally

Description

A Denial of Service (DoS) vulnerability in Palo Alto Networks PAN-OS software causes the firewall to unexpectedly reboot when processing a specially crafted LLDP frame sent by an unauthenticated adjacent attacker. Repeated attempts to initiate this condition causes the firewall to enter maintenance mode.

This issue does not apply to Cloud NGFWs or Prisma Access software.

Product Status

VersionsAffectedUnaffected
Cloud NGFWNone
All
PAN-OS 11.2< 11.2.5
>= 11.2.5
PAN-OS 11.1< 11.1.4-h17
< 11.1.6-h6
< 11.1.8
>= 11.1.4-h17
>= 11.1.6-h6
>= 11.1.8
PAN-OS 10.2< 10.2.10-h17
< 10.2.13-h5
< 10.2.14
>= 10.2.10-h17
>= 10.2.13-h5
>= 10.2.14
PAN-OS 10.1< 10.1.14-h11
>= 10.1.14-h11
Prisma AccessNone
All

Please note that PAN-OS 11.0, PAN-OS 10.0, PAN-OS 9.1, PAN-OS 9.0, and older releases have reached their software end-of-life (EoL) dates and are no longer evaluated for vulnerabilities and no fixes are planned. These versions are presumed to be affected.

Required Configuration for Exposure

To be vulnerable, all of the following conditions must be true:

  1. You must have enabled LLDP in your PAN-OS software to be vulnerable to this issue. You can verify whether you have LLDP enabled by following these steps in your web interface:
    1. Select Network > LLDP.
    2. In the LLDP General settings, verify whether LLDP is enabled (checked).
  2. LLDP must be enabled on at least one network interface. You can verify whether you have LLDP enabled on an interface by following these steps in your web interface:
    1. Select Network > LLDP.
    2. Verify if any interfaces are listed
    3. Verify if for any listed interface LLDP is enabled (checked) 
  3. The LLDP profile associated with the an interface must have the "Mode" configured to "transmit-receive" or "receive-only". You can verify the "Mode" in your LLDP profile by following these steps in your web interface:
    1. Select Network > LLDP.
    2. For any interfaces where LLDP is enabled, find the profile associated with it.
    3. Select Network > Network Profiles > LLDP Profile
    4. Select the profile used with the interface
    5. Verify if the "Mode" is set to "transmit-receive" or "receive-only".


 

Severity: MEDIUM, Suggested Urgency: MODERATE

CVSS-BT: 4.3 / CVSS-B: 6.8 (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:C/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type and Impact

[Allowed-with-Review] CWE-754 Improper Check for Unusual or Exceptional Conditions

CAPEC-153 Input Data Manipulation

Solution

Version
Minor Version
Suggested Solution
PAN-OS 11.2
11.2.0 through 11.2.4
Upgrade to 11.2.5 or later
PAN-OS 11.111.1.0 through 11.1.7
Upgrade to 11.1.8 or later
 11.1.0 through 11.1.6 Upgrade to 11.1.6-h6 or 11.1.8 or later
 11.1.0 through 11.1.4Upgrade to 11.1.4-h17 or 11.1.6-h6 or 11.1.8 or later 
PAN-OS 11.0 (EoL) Upgrade to a supported fixed version
PAN-OS 10.210.2.13Upgrade to 10.2.13-h5 or 10.2.14 or later
 10.2.0 through 10.2.13
Upgrade to 10.2.14 or later
 10.2.0 through 10.2.10Upgrade to 10.2.10-h17 or 10.2.13-h5 or 10.2.14 or later
PAN-OS 10.1
10.1.0 through 10.1.14Upgrade to 10.1.14-h11 or later
All other older
unsupported
PAN-OS versions		 Upgrade to a supported fixed version.

Workarounds and Mitigations

Option 1:
If you are not using LLDP, you should disable it to mitigate this issue by performing the following steps in your web interface:

  1. Select Network > LLDP.
  2. Open LLDP General settings.
  3. Disable (uncheck) LLDP.

Option 2:
You can disable LLDP for your network interfaces by performing the following steps in your web interface:
  1. Select Network > Interfaces and select the interface you wish to disable LLDP for.
  2. Select Advanced > LLDP.
  3. Disable (uncheck) LLDP. 


Option 3:
If you are using LLDP only to advertise information about your PAN-OS device to other neighboring devices, you should set the LLDP mode to transmit-only for the profile used on your network interfaces by performing the following steps in your web interface:
  1. Select Network > Network Profiles > LLDP Profile
  2. Select the profile used with the interface
  3. Set the "Mode" to "transmit-only".
 

Acknowledgments

Palo Alto Networks thanks an external reporter for discovering and reporting the issue.

CPEs

cpe:2.3:o:paloaltonetworks:pan-os:11.2.4:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.2.3:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.6:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.6:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.6:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.6:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.6:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.5:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h15:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h13:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h12:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h11:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.13:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.13:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.13:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.13:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.13:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.12:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.11:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h14:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h13:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h12:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h11:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.13:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.12:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.0:*:*:*:*:*:*:*

Timeline

Updated fix availability of PAN-OS 10.2
Updated fix availability of PAN OS 11.1
Updated fix availability of PAN-OS 11.1
Updated the ETA for 10.2.14 and the fixed 10.2.13 version listed in the solution section
Updated fix availability of PAN-OS 10.2
Updated the required configuration and workarounds sections
Updated the required configuration and workarounds sections
Updated the product status table to match the solution table
Initial Publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure PolicyReport vulnerabilitiesManage subscriptions
© 2025 Palo Alto Networks, Inc. All rights reserved.