Palo Alto Networks Security Advisories / CVE-2025-4619

CVE-2025-4619 PAN-OS: Firewall Denial of Service (DoS) Using Specially Crafted Packets

Urgency MODERATE

047910
Severity 6.6 · MEDIUM
Exploit Maturity UNREPORTED
Response Effort MODERATE
Recovery USER
Value Density CONCENTRATED
Attack Vector NETWORK
Attack Complexity LOW
Attack Requirements NONE
Automatable YES
User Interaction NONE
Product Confidentiality NONE
Product Integrity NONE
Product Availability HIGH
Privileges Required NONE
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability NONE
CVE JSON CSAF
Published 2025-11-12
Updated 2025-11-12
Reference PAN-247099
Discovered in production use

Description

A denial-of-service (DoS) vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to reboot a firewall by sending a specially crafted packet through the dataplane. Repeated attempts to initiate a reboot causes the firewall to enter maintenance mode.

This issue is applicable to the PAN-OS software versions listed below on PA-Series firewalls, VM-Series firewalls, and Prisma® Access software. This issue does not affect Cloud NGFW.

​​We have successfully completed the Prisma Access upgrade for all customers, with the exception of those facing issues such as conflicting maintenance windows. Remaining customers will be promptly scheduled for an upgrade through our standard upgrade process.

Product Status

VersionsAffectedUnaffected
Cloud NGFWNone
All
PAN-OS 12.1None
All
PAN-OS 11.2< 11.2.2-h2
< 11.2.3-h6
< 11.2.4-h4
< 11.2.5
>= 11.2.2-h2
>= 11.2.3-h6
>= 11.2.4-h4
>= 11.2.5
PAN-OS 11.1>= 11.1.2-h9
< 11.1.2-h18
>= 11.1.3-h2
>= 11.1.4-h4
< 11.1.4-h13
< 11.1.6-h1
< 11.1.7
< 11.1.2-h9
>= 11.1.2-h18
< 11.1.3-h2
< 11.1.4-h4
>= 11.1.4-h13
>= 11.1.6-h1
>= 11.1.7
PAN-OS 10.2>= 10.2.4-h25
>= 10.2.7-h11
< 10.2.7-h24
>= 10.2.8-h10
< 10.2.8-h21
>= 10.2.9-h6
< 10.2.9-h21
>= 10.2.10-h2
< 10.2.10-h14
< 10.2.11-h12
< 10.2.12-h6
< 10.2.13-h3
< 10.2.14
< 10.2.4-h25
< 10.2.7-h11
>= 10.2.7-h24
< 10.2.8-h10
>= 10.2.8-h21
< 10.2.9-h6
>= 10.2.9-h21
< 10.2.10-h2
>= 10.2.10-h14
>= 10.2.11-h12
>= 10.2.12-h6
>= 10.2.13-h3
>= 10.2.14
PAN-OS 10.1None
All
Prisma Access>= 10.2.4-h25 on PAN-OS
< 10.2.10-h14 on PAN-OS
< 11.2.4-h4 on PAN-OS
< 10.2.4-h25 on PAN-OS
>= 10.2.10-h14 on PAN-OS
>= 11.2.4-h4 on PAN-OS

Required Configuration for Exposure

This issue is only applicable to firewalls where URL proxy or any decrypt-policy is configured.

When any decrypt policy is configured, this issue may be encountered regardless of whether traffic matches explicit decrypt, explicit no-decrypt, or none of the decryption policies.

Severity: MEDIUM, Suggested Urgency: MODERATE

CVSS-BT: 6.6 / CVSS-B: 8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:C/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type and Impact

CWE-754 Improper Check for Unusual or Exceptional Conditions

CAPEC-129: Pointer Manipulation

Solution

Version
Minor Version
Suggested Solution
Cloud NGFW
No action needed.
PAN-OS 12.1
No action needed.
PAN-OS 11.2
 11.2.0 through 11.2.4 Upgrade to 11.2.4-h4 or 11.2.5 or later.
11.2.0 through 11.2.3 Upgrade to 11.2.3-h6 or 11.2.5 or later.
11.2.0 through 11.2.2 Upgrade to 11.2.2-h2 or 11.2.5 or later.
PAN-OS 11.1
 11.1.0 through 11.1.6 Upgrade to 11.1.6-h1 or 11.1.7 or later.
11.1.0 through 11.1.4 Upgrade to 11.1.4-h13 or 11.1.7 or later.
11.1.0 through 11.1.3 Remain on a version older than 11.1.3-h2 or upgrade to 11.1.4-h13 or 11.1.7 or later.
11.1.0 through 11.1.2 Upgrade to 11.1.2-h18 or 11.1.7 or later.
PAN-OS 10.2
 10.2.0 through 10.2.13 Upgrade to 10.2.13-h3 or 10.2.14 or later.
10.2.0 through 10.2.12 Upgrade to 10.2.12-h6 or 10.2.14 or later.
10.2.0 through 10.2.11 Upgrade to 10.2.11-h12 or 10.2.14 or later.
10.2.0 through 10.2.10 Upgrade to 10.2.10-h14 or 10.2.14 or later.
10.2.0 through 10.2.9 Upgrade to 10.2.9-h21 or 10.2.14 or later.
10.2.0 through 10.2.8 Upgrade to 10.2.8-h21 or 10.2.14 or later.
10.2.0 through 10.2.7 Upgrade to 10.2.7-h24 or 10.2.14 or later.
10.2.0 through 10.2.4 Remain on a version older than 10.2.4-h25
PAN-OS 10.1
No action needed.
All older
unsupported
PAN-OS versions		 Upgrade to a supported fixed version.
 Prisma Access  on PAN-OS11.2.0 through 11.2.4Upgrade to 11.2.4-h4 or later

 10.2.0 through 10.2.10 Upgrade to 10.2.10-h14 or 11.2.4-h4 or later.
10.2.0 through 10.2.4 Remain on a version older than 10.2.4-h25.

Workarounds and Mitigations

No known workarounds exist for this issue.

Frequently Asked Questions

Q. What is URL Proxy?

URL Proxy is a Palo Alto Networks firewall feature that lets the firewall display a block page when a user tries to access an HTTPS website blocked by URL Filtering, even if SSL Decryption is not fully enabled. This feature is only necessary for HTTPS traffic; HTTP traffic does not require it. A URL Filtering license may not be needed if the site is blocked using custom URLs or External Dynamic Lists (EDLs).

URL Proxy is configured via the PAN-OS CLI. To verify if it is enabled, check the output of the following command:

> configure
# show | match url-proxy
      url-proxy yes;

If the output shows "url-proxy no" or produces no output, URL Proxy is disabled by default.

To disable it, enter configuration mode and run:

> configure
# set deviceconfig setting ssl-decrypt url-proxy no
# commit

For additional information, see the Palo Alto Networks knowledge base article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFKCA0

CPEs

cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h3:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h2:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:h1:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:-:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:h5:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:h4:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:h3:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:h2:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:h1:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:-:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.2.2:h1:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.2.2:-:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.2.1:*:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.2.0:*:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:-:*:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.5:h1:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.5:-:*:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h12:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h11:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h10:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h9:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h8:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h7:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h6:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h5:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:h4:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.3:h13:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.3:h12:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.3:h11:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.3:h10:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.3:h9:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.3:h8:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.3:h7:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.3:h6:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.3:h5:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.3:h4:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.3:h3:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.3:h2:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.2:h17:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.2:h16:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.2:h15:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.2:h14:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.2:h13:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.2:h12:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.2:h11:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.2:h10:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.2:h9:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.1:*:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.1.0:*:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h2:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:h1:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.13:-:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.12:h5:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.12:h4:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.12:h3:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.12:h2:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.12:h1:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.12:-:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.11:h11:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.11:h10:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.11:h9:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.11:h8:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.11:h7:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.11:h6:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.11:h5:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.11:h4:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.11:h3:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.11:h2:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.11:h1:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.11:-:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h13:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h12:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h11:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h10:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h9:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h8:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h7:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h6:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h5:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h4:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h3:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.10:h2:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.9:h20:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.9:h19:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.9:h18:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.9:h17:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.9:h16:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.9:h15:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.9:h14:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.9:h13:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.9:h12:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.9:h11:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.9:h10:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.9:h9:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.9:h8:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.9:h7:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.9:h6:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.8:h20:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.8:h19:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.8:h18:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.8:h17:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.8:h16:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.8:h15:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.8:h14:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.8:h13:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.8:h12:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.8:h11:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.8:h10:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h23:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h22:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h21:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h20:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h19:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h18:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h17:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h16:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h15:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h14:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h13:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h12:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.7:h11:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.6:*:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.5:*:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.3:*:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.2:*:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.1:*:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:10.2.0:*:*:*:*:*:*:*

CPE Applicability

Timeline

Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure PolicyReport vulnerabilitiesManage subscriptions
© 2025 Palo Alto Networks, Inc. All rights reserved.