CVE-2025-0128 PAN-OS: Firewall Denial of Service (DoS) Using a Specially Crafted Packet
Description
A denial-of-service (DoS) vulnerability in the Simple Certificate Enrollment Protocol (SCEP) authentication feature of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker to initiate system reboots using a maliciously crafted packet. Repeated attempts to initiate a reboot causes the firewall to enter maintenance mode.
Cloud NGFW is not affected by this vulnerability. Prisma® Access software is proactively patched and protected from this issue.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None on PAN-OS | All on PAN-OS |
| PAN-OS 11.2 | < 11.2.3 | >= 11.2.3 |
| PAN-OS 11.1 | < 11.1.5 | >= 11.1.5 |
| PAN-OS 11.0 | < 11.0.6 | >= 11.0.6 |
| PAN-OS 10.2 | < 10.2.10-h17 | >= 10.2.10-h17 |
| PAN-OS 10.1 | < 10.1.14-h11 | >= 10.1.14-h11 |
| Prisma Access | < 10.2.4-h36 on PAN-OS < 10.2.10-h16 on PAN-OS < 11.2.4-h5 on PAN-OS | >= 10.2.4-h36 on PAN-OS >= 10.2.10-h16 on PAN-OS >= 11.2.4-h5 on PAN-OS |
PAN-OS 11.0, PAN-OS 10.0, PAN-OS 9.1, PAN-OS 9.0, and earlier PAN-OS versions have reached their software end-of-life (EoL) dates and are no longer evaluated for vulnerabilities so we do not plan to fix this issue in these EoL versions. You should presume that these versions are affected.
Required Configuration for Exposure
NOTE: You do not need to have explicitly configured SCEP on your firewall to be at risk. Firewalls for which you do not apply the explicit mitigation for this issue are affected.
Severity: MEDIUM, Suggested Urgency: MODERATE
A user sends a malicious crafted packet through the firewall, which processes a malicious packet that causes this issue.
MEDIUM
- CVSS-BT: 6.6 /CVSS-B: 8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:C/RE:M/U:Amber)
For Prisma Access, this issue can only be initiated by authenticated end users that use a maliciously crafted packet.
LOW
- CVSS-BT: 1.3 /CVSS-B: 5.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:U/AU:Y/R:U/V:C/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-754 Improper Check for Unusual or Exceptional Conditions
CAPEC-153 Input Data Manipulation
Solution
| Version | Minor Version | Suggested Solution |
|---|---|---|
| PAN-OS 11.2 | 11.2.0 through 11.2.2 | Upgrade to 11.2.3 or later |
| PAN-OS 11.1 | 11.1.0 through 11.1.4 | Upgrade to 11.1.5 or later |
| PAN-OS 11.0 | 11.0.0 through 11.0.5 | Upgrade to 11.0.6 or later |
| PAN-OS 10.2 | 10.2.0 through 10.2.10 | Upgrade to 10.2.11 or later |
| PAN-OS 10.1 | 10.1.0 through 10.1.14 | Upgrade to 10.1.14-h11 or later |
| All other older unsupported PAN-OS versions | Upgrade to a supported fixed version. |
PAN-OS 11.0 is EoL. We listed it in this section for completeness because we added a patch for PAN-OS 11.0 before it reached EoL. If you are running PAN-OS 11.0 in any of your firewalls, we strongly recommend that you upgrade to a fixed supported version.
We proactively initiated the upgrade through Prisma Access March 21, 2025, to cover all tenants.
Workarounds and Mitigations
If you are not using SCEP, you can disable it to mitigate this risk by running the following command in your PAN-OS command-line interface (CLI):
> debug sslmgr set disable-scep-auth-cookie yes
CAUTION: This workaround is effective only until the next reboot, after which you must rerun this command to stay protected.Acknowledgments
CPEs
cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.5:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:*:*:*:*:*:*:*