CVE-2025-4229 PAN-OS: Traffic Information Disclosure Vulnerability
Description
An information disclosure vulnerability in the SD-WAN feature of Palo Alto Networks PAN-OS® software enables an unauthorized user to view unencrypted data sent from the firewall through the SD-WAN interface. This requires the user to be able to intercept packets sent from the firewall.
Cloud NGFW and Prisma® Access are not affected by this vulnerability.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 11.2 | < 11.2.7 | >= 11.2.7 [ETA: June 2025] |
| PAN-OS 11.1 | < 11.1.10 | >= 11.1.10 |
| PAN-OS 10.2 | < 10.2.17 | >= 10.2.17 |
| PAN-OS 10.1 | < 10.1.14-h16 | >= 10.1.14-h16 [ETA: July 2025] |
| Prisma Access | None | All |
Required Configuration for Exposure
To be vulnerable to this issue, an SD-WAN Interface Profile must be configured on PAN-OS. The interface must also be configured for Direct Internet Access (DIA). Adding an SD-WAN Interface Profile requires the Advanced SD-WAN License.
You can verify whether you configured an SD-WAN Interface Profile by checking for entries in your firewall web interface (Network → Network Profiles → SD-WAN Interface Profile).
To verify if you have Direct Internet Access, see our documentation about configuring Direct Internet Access.
Severity: LOW, Suggested Urgency: MODERATE
CVSS-BT: 2.3 / CVSS-B: 6.0 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere
CAPEC-37 Retrieve Embedded Sensitive Data
Solution
| Version | Minor Version | Suggested Solution |
|---|---|---|
| Cloud NGFW All | No action needed. | |
| PAN-OS 11.2 |
11.2.0 through 11.2.6 | Upgrade to 11.2.7 or later. |
| PAN-OS 11.1 |
11.1.0 through 11.1.9 | Upgrade to 11.1.10 or later. |
| PAN-OS 10.2 |
10.2.0 through 10.2.16 | Upgrade to 10.2.17 or later. |
| PAN-OS 10.1 |
10.1.0 through 10.1.14 | Upgrade to 10.1.14-h16 or later. |
| All older unsupported PAN-OS versions | Upgrade to a supported fixed version. | |
| Prisma Access All | No action needed. |
Workarounds and Mitigations
If you are not using the SD-WAN feature of PAN-OS, you can mitigate this issue by disabling the SD-WAN feature. To disable SD-WAN feature, see our documentation about uninstalling SD-WAN plugin.
If you are using the SD-WAN feature but do not need Direct Internet Access, you can mitigate the issue by disabling Direct Internet Access on the SD-WAN Interface Profile by backhauling your internet traffic to SD-WAN hub.
Acknowledgments
CPEs
cpe:2.3:o:palo_alto_networks:pan-os:11.2.6:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.5:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.2:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.1:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.0:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.1.9:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.1.8:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:*:*:*:*:*:*:*