Palo Alto Networks Security Advisories / CVE-2025-0130

CVE-2025-0130 PAN-OS: Firewall Denial-of-Service (DoS) in the Web-Proxy Feature via a Burst of Maliciously Crafted Packets

Urgency MODERATE

047910
Severity 4.6 · MEDIUM
Exploit Maturity UNREPORTED
Response Effort LOW
Recovery USER
Value Density CONCENTRATED
Attack Vector NETWORK
Attack Complexity HIGH
Attack Requirements NONE
Automatable YES
User Interaction NONE
Product Confidentiality NONE
Product Integrity NONE
Product Availability HIGH
Privileges Required NONE
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability NONE
CVE JSON CSAF
Published 2025-05-14
Updated 2025-05-14
Reference PAN-273308
Discovered internally

Description

A missing exception check in Palo Alto Networks PAN-OS® software with the web proxy feature enabled allows an unauthenticated attacker to send a burst of maliciously crafted packets that causes the firewall to become unresponsive and eventually reboot. Repeated successful attempts to trigger this condition will cause the firewall to enter maintenance mode.

This issue does not affect Cloud NGFW or Prisma Access.

Product Status

VersionsAffectedUnaffected
Cloud NGFWNone
All
PAN-OS 11.2< 11.2.5
>= 11.2.5
PAN-OS 11.1< 11.1.6-h1
< 11.1.7-h2
< 11.1.8
>= 11.1.6-h1
>= 11.1.7-h2
>= 11.1.8
PAN-OS 10.2None
All
PAN-OS 10.1None
All
Prisma AccessNone
All

This issue affects only PAN-OS 11.0 and later PAN-OS versions. PAN-OS 11.0 software is end-of-life (EoL) so we do not intend to fix this issue in this version.

Required Configuration for Exposure

This issue only affects PAN-OS firewalls that have the web proxy feature enabled. This feature is only available on PAN-OS 11.0 and above. Additionally a license is required to use the web proxy feature.
To verify if you have configured web proxy on your PAN-OS device, see our documentation regarding the web proxy feature.

Severity: MEDIUM, Suggested Urgency: MODERATE

CVSS-BT: 4.6 / CVSS-B: 8.2 (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:C/RE:L/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type and Impact

CWE-754 Improper Check for Unusual or Exceptional Conditions

CAPEC-583 Disabling Network Hardware

Solution

Version
Minor Version
Suggested Solution
PAN-OS 11.2
11.2.0 through 11.2.4Upgrade to 11.2.5 or later.
PAN-OS 11.111.1.0 through 11.1.7
Upgrade to 11.1.7-h2 or 11.1.8 or later.
 11.1.0 through 11.1.6Upgrade to 11.1.6-h1 or 11.1.8 or later.
PAN-OS 11.0 (EoL)

Upgrade to a supported fixed version.
PAN-OS 10.2
No action needed.
PAN-OS 10.1
No action needed.
All other
unsupported
PAN-OS versions		 Upgrade to a supported fixed version.

Workarounds and Mitigations

If you are not using the web proxy feature, you can disable it to mitigate this issue. For more information regarding the web proxy feature, see our documentation regarding the web proxy feature.

Acknowledgments

Palo Alto Networks thanks Jari Pietila of Palo Alto Networks for discovering and reporting the issue.

CPEs

cpe:2.3:o:paloaltonetworks:pan-os:11.2.4:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.2.3:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.6:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.5:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:*:*:*:*:*:*:*

Timeline

Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure PolicyReport vulnerabilitiesManage subscriptions
© 2025 Palo Alto Networks, Inc. All rights reserved.