CVE-2025-2182 PAN-OS: Firewall Clusters using the MACsec Protocol Expose the Connectivity Association Key (CAK)
Description
A problem with the implementation of the MACsec protocol in Palo Alto Networks PAN-OS® results in the cleartext exposure of the connectivity association key (CAK). This issue is only applicable to PA-7500 Series devices which are in an NGFW cluster.
A user who possesses this key can read messages being sent between devices in a NGFW Cluster. There is no impact in non-clustered firewalls or clusters of firewalls that do not enable MACsec.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS | None on devices other than PA-7500 | All on devices other than PA-7500 |
| PAN-OS 11.2 | < 11.2.8 on PA-7500 | >= 11.2.8 on PA-7500 |
| PAN-OS 11.1 | < 11.1.10 on PA-7500 | >= 11.1.10 on PA-7500 |
| PAN-OS 10.2 | None on PA-7500 | All on PA-7500 |
| PAN-OS 10.1 | None on PA-7500 | All on PA-7500 |
| Prisma Access | None | All |
Required Configuration for Exposure
The following conditions must be true to be vulnerable to this issue:
Your PA-7500 Series devices must be in an NGFW cluster. For more information regarding NGFW Clusters see our documentation.
A MACsec policy must be configured and enabled for the NGFW cluster. For more information about MACsec profiles please see our documentation.
Severity: LOW, Suggested Urgency: MODERATE
CVSS-BT: 3.3 / CVSS-B: 6.8 (CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/AU:N/R:A/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-312 Cleartext Storage of Sensitive Information
CAPEC-158 Sniffing Network Traffic
Solution
| Version | Minor Version | Suggested Solution |
|---|---|---|
| Cloud NGFW | No action needed. | |
| PAN-OS 11.2 on PA-7500 |
11.2.0 through 11.2.7 | Upgrade to 11.2.8 or later. |
| PAN-OS 11.1 on PA-7500 |
11.1.0 through 11.1.9 | Upgrade to 11.1.10 or later. |
| PAN-OS 10.2 on PA-7500 | No action needed. | |
| PAN-OS 10.1 on PA-7500 | No action needed. | |
| PAN-OS on devices other than PA-7500 | No action needed. | |
| All older unsupported PAN-OS versions | Upgrade to a supported fixed version. | |
| Prisma Access | No action needed. |
Workarounds and Mitigations
No known workarounds exist for this issue.
Acknowledgments
CPEs
cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.6:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.5:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.2:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.1:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.0:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.1.9:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.1.8:*:*:*:*:*:PA-7500:*
CPE Applicability
- cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:PA-7500:*:* is vulnerable from (including)11.2.0 and up to (excluding)11.2.8
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:PA-7500:*:* is vulnerable from (including)11.1.0 and up to (excluding)11.1.10