CVE-2025-4235 User-ID Credential Agent: Cleartext Exposure of Service Account password

Palo Alto Networks Security Advisories / CVE-2025-4235

CVE-2025-4235 User-ID Credential Agent: Cleartext Exposure of Service Account password

Urgency MODERATE

Severity 4.2 · MEDIUM

Exploit Maturity UNREPORTED

Response Effort MODERATE

Recovery USER

Value Density DIFFUSE

Attack Vector LOCAL

Attack Complexity LOW

Attack Requirements PRESENT

Automatable NO

User Interaction NONE

Product Confidentiality HIGH

Product Integrity LOW

Product Availability LOW

Privileges Required LOW

Subsequent Confidentiality HIGH

Subsequent Integrity HIGH

Subsequent Availability HIGH

CVE JSON CSAF

Published 2025-09-10

Updated 2025-09-10

Reference WINAGENT-1130

Discovered externally

Description

An information exposure vulnerability in the Palo Alto Networks User-ID Credential Agent (Windows-based) can expose the service account password under specific non-default configurations. This allows an unprivileged Domain User to escalate privileges by exploiting the account’s permissions. The impact varies by configuration:

Minimally Privileged Accounts: Enable disruption of User-ID Credential Agent operations (e.g., uninstalling or disabling the agent service), weakening network security policies that leverage Credential Phishing Prevention under a Domain Credential Filter configuration.
Elevated Accounts (Server Operator, Domain Join, Legacy Features): Permit increased impacts, including server control (e.g., shutdown/restart), domain manipulation (e.g., rogue computer objects), and network compromise via reconnaissance or client probing.

Product Status

Versions	Affected	Unaffected
User-ID Credential Agent 11.0.0	>= 11.0.2-133 on Windows < 11.0.3 on Windows	< 11.0.2-133 on Windows >= 11.0.3 on Windows

Severity: MEDIUM, Suggested Urgency: MODERATE

Elevated Service Accounts
MEDIUM - CVSS-BT: 4.2 /CVSS-B: 7.2 (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:U/AU:N/R:U/V:D/RE:M/U:Amber)

Minimally Privileged Service Account
LOW - CVSS-BT: 1.9 /CVSS-B: 5.8 (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type and Impact

CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere

CAPEC-37: Retrieve Embedded Sensitive Data

Solution

Version	Minor Version	Suggested Solution
User-ID Credential Agent 11.0 on Windows	11.0.2-133	Upgrade to 11.0.3 or later
	11.0.0 through 11.0.1-104	No action needed.

Workarounds and Mitigations

By default, Domain Users cannot log in to Domain Controllers. However, this can be changed through Group Policy. To reduce privilege escalation risks, review the "Allow log on locally" setting in the Default Domain Controllers Policy and remove any Domain Users listed there. Windows Server 2019 and 2022 path:
- Group Policy Management > Domain Controllers > Select GPO (Edit) > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > "Allow log on locally".
Refer to the "Create a Dedicated Service Account for the User-ID Agent" and "Configure Credential Detection with the Windows User-ID Agent" guidelines to ensure service accounts are configured with appropriate permissions and restrictions.

Acknowledgments

Palo Alto Networks thanks an external reporter for discovering and reporting this issue.

CPE Applicability

Timeline

2025-09-10 Initial Publication