{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-0123", "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "state": "PUBLISHED", "assignerShortName": "palo_alto", "dateReserved": "2024-12-20T23:23:24.262Z", "datePublished": "2025-04-11T17:43:05.126Z", "dateUpdated": "2025-04-11T18:36:46.622Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Cloud NGFW", "vendor": "Palo Alto Networks", "versions": [{"status": "unaffected", "version": "All", "versionType": "custom"}]}, {"cpes": ["cpe:2.3:o:paloaltonetworks:pan-os:11.2.5:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.2.4:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.2.3:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.6:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.5:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.14:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.13:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.12:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.11:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h11:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h10:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h9:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h8:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h7:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h6:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h5:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h4:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.13:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.12:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.0:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "product": "PAN-OS", "vendor": "Palo Alto Networks", "versions": [{"changes": [{"at": "11.2.6", "status": "unaffected"}], "lessThan": "11.2.6", "status": "affected", "version": "11.2.0", "versionType": "custom"}, {"changes": [{"at": "11.1.8", "status": "unaffected"}], "lessThan": "11.1.8", "status": "affected", "version": "11.1.0", "versionType": "custom"}, {"changes": [{"at": "10.2.15", "status": "unaffected"}], "lessThan": "10.2.15", "status": "affected", "version": "10.2.0", "versionType": "custom"}, {"changes": [{"at": "10.1.14-h13", "status": "unaffected"}], "lessThan": "10.1.14-h13", "status": "affected", "version": "10.1.0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Prisma Access", "vendor": "Palo Alto Networks", "versions": [{"status": "unaffected", "version": "All", "versionType": "custom"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "This vulnerability requires the following configuration:<ol><li>An SSL decryption policy matching HTTP/2 data flows tied to a decryption profile without 'Strip ALPN' enabled;<br>and</li><li>Global HTTP/2 inspection enabled.<br><br>Note: Global HTTP/2 inspection is enabled by default. The setting to disable it is available only by using the PAN-OS command-line interface (CLI). To verify whether this feature is globally disabled use the following CLI commands:<p><tt>&gt; set cli config-output-format set<br>&gt;&nbsp;configure <br># show | match&nbsp;'http2 enable no'</tt></p>\u2003\u2003- If there is no output, then http2 inspection is enabled.<br>\u2003\u2003- If output shows <tt>'set deviceconfig setting http2 enable no'</tt> then http2 traffic is classified as <tt>unknown-tcp</tt> and is not decrypted by the firewall, which makes clear-text data unreadable in packet captures.<br>\u2003\u2003<br></li></ol>"}], "value": "This vulnerability requires the following configuration: * An SSL decryption policy matching HTTP/2 data flows tied to a decryption profile without 'Strip ALPN' enabled;\nand\n * Global HTTP/2 inspection enabled.\n\nNote: Global HTTP/2 inspection is enabled by default. The setting to disable it is available only by using the PAN-OS command-line interface (CLI). To verify whether this feature is globally disabled use the following CLI commands:> set cli config-output-format set\n>\u00a0configure \n# show | match\u00a0'http2 enable no'\n\n\u2003\u2003- If there is no output, then http2 inspection is enabled.\n\u2003\u2003- If output shows 'set deviceconfig setting http2 enable no' then http2 traffic is classified as unknown-tcp and is not decrypted by the firewall, which makes clear-text data unreadable in packet captures."}], "credits": [{"lang": "en", "type": "finder", "value": "Saurabh Tripathi of Palo Alto Networks"}], "datePublic": "2025-04-09T16:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A vulnerability in the Palo Alto Networks PAN-OS\u00ae software enables unlicensed administrators to view clear-text data captured using the <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/take-packet-captures/take-a-custom-packet-capture\">packet capture feature</a> in decrypted HTTP/2 data streams traversing network interfaces on the firewall. HTTP/1.1 data streams are not impacted.<br><br>In normal conditions, decrypted packet captures are available to firewall administrators after they obtain and install a free Decryption Port Mirror license. The license requirement ensures that this feature can only be used after approved personnel purposefully activate the license. For more information, review how to <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/network-security/decryption/administration/monitoring-decryption/configure-decryption-port-mirroring\">configure decryption port mirroring</a>.<br><br>The administrator must obtain network access to the management interface (web, SSH, console, or telnet) and successfully authenticate to exploit this issue. Risk of this issue can be greatly reduced by restricting access to the management interface to only trusted administrators and from only internal IP addresses according to our recommended <a target=\"_blank\" rel=\"nofollow\" href=\"https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431\">critical deployment guidelines</a>.<br><br>Customer firewall administrators do not have access to the packet capture feature in Cloud NGFW. This feature is available only to authorized Palo Alto Networks personnel permitted to perform troubleshooting.<br><br>Prisma\u00ae Access is not impacted by this vulnerability."}], "value": "A vulnerability in the Palo Alto Networks PAN-OS\u00ae software enables unlicensed administrators to view clear-text data captured using the packet capture feature https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/take-packet-captures/take-a-custom-packet-capture in decrypted HTTP/2 data streams traversing network interfaces on the firewall. HTTP/1.1 data streams are not impacted.\n\nIn normal conditions, decrypted packet captures are available to firewall administrators after they obtain and install a free Decryption Port Mirror license. The license requirement ensures that this feature can only be used after approved personnel purposefully activate the license. For more information, review how to configure decryption port mirroring https://docs.paloaltonetworks.com/network-security/decryption/administration/monitoring-decryption/configure-decryption-port-mirroring .\n\nThe administrator must obtain network access to the management interface (web, SSH, console, or telnet) and successfully authenticate to exploit this issue. Risk of this issue can be greatly reduced by restricting access to the management interface to only trusted administrators and from only internal IP addresses according to our recommended critical deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .\n\nCustomer firewall administrators do not have access to the packet capture feature in Cloud NGFW. This feature is available only to authorized Palo Alto Networks personnel permitted to perform troubleshooting.\n\nPrisma\u00ae Access is not impacted by this vulnerability."}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."}], "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."}], "impacts": [{"capecId": "CAPEC-158", "descriptions": [{"lang": "en", "value": "CAPEC-158: Sniffing Network Traffic"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NO", "Recovery": "AUTOMATIC", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 5.9, "baseSeverity": "MEDIUM", "privilegesRequired": "HIGH", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/AU:N/R:A/V:D/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "Firewall administrators can see traffic that they should not be able to see, which impacts confidentiality but there is no impact to integrity or availability of that traffic."}]}, {"cvssV4_0": {"Automatable": "NO", "Recovery": "AUTOMATIC", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 0, "baseSeverity": "NONE", "privilegesRequired": "HIGH", "providerUrgency": "CLEAR", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/AU:N/R:A/V:D/U:Clear", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "There is no risk if the firewall is licensed for decryption port mirroring because firewall administrators are already authorized to obtain decrypted packet captures from Palo Alto Networks firewalls."}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-312", "description": "CWE-312 Cleartext Storage of Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto", "dateUpdated": "2025-04-11T17:43:05.126Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://security.paloaltonetworks.com/CVE-2025-0123"}], "solutions": [{"lang": "eng", "supportingMedia": [{"base64": false, "type": "text/html", "value": "This issue is fixed in PAN-OS 10.1.14-h13, PAN-OS 10.2.15, PAN-OS 11.1.8, PAN-OS 11.2.6, and all later PAN-OS versions.<br><br><table class=\"tbl\"><thead><tr><th>Version<br></th><th>Minor Version<br></th><th>Suggested Solution<br></th></tr></thead><tbody><tr><td>PAN-OS 11.2<br></td><td>11.2.0 through 11.2.5</td><td>Upgrade to 11.2.6 or later.<br></td></tr><tr><td>PAN-OS 11.1</td><td>11.1.0 through 11.1.7<br></td><td>Upgrade to 11.1.8 or later.</td></tr><tr><td>PAN-OS 11.0 (EoL)<br></td><td><br></td><td>Upgrade to a supported fixed version.<br></td></tr><tr><td>PAN-OS 10.2<br></td><td>10.2.0 through 10.2.14<br></td><td>Upgrade to 10.2.15 or later.<br><br></td></tr><tr><td>PAN-OS 10.1<br></td><td>10.1.0 through 10.1.14-h11<br></td><td>Upgrade to 10.1.14-h13 or later.<br></td></tr><tr><td>All other older<br>unsupported<br>PAN-OS versions</td><td>&nbsp;</td><td>Upgrade to a supported fixed version.</td></tr></tbody></table><br>To fully remediate risk, you must delete all pre-existing packet capture files stored on the firewall after you upgrade to a fixed PAN-OS version. This task can be performed through the PAN-OS web interface or through the PAN-OS CLI.<p><b>Using the Web Interface:</b></p>1. Select <b>Monitor</b> &gt; <b>Packet Capture</b> &gt; <b>Captured Files</b> &gt; (Select All) and <b>Delete</b> the files.<br>2. Select <b>Yes</b> when prompted by the confirmation dialog.<p><b>Using the PAN-OS CLI:</b></p>1. Enter the following operational command:<br><p><tt>&gt; delete debug-filter file *&nbsp;</tt></p>2. A confirmation prints to the terminal and indicates that all packet capture files were successfully deleted from the firewall:<br><p><tt>successfully removed *&nbsp;</tt></p>"}], "value": "This issue is fixed in PAN-OS 10.1.14-h13, PAN-OS 10.2.15, PAN-OS 11.1.8, PAN-OS 11.2.6, and all later PAN-OS versions.\n\nVersion\nMinor Version\nSuggested Solution\nPAN-OS 11.2\n11.2.0 through 11.2.5Upgrade to 11.2.6 or later.\nPAN-OS 11.111.1.0 through 11.1.7\nUpgrade to 11.1.8 or later.PAN-OS 11.0 (EoL)\n\nUpgrade to a supported fixed version.\nPAN-OS 10.2\n10.2.0 through 10.2.14\nUpgrade to 10.2.15 or later.\n\nPAN-OS 10.1\n10.1.0 through 10.1.14-h11\nUpgrade to 10.1.14-h13 or later.\nAll other older\nunsupported\nPAN-OS versions\u00a0Upgrade to a supported fixed version.\nTo fully remediate risk, you must delete all pre-existing packet capture files stored on the firewall after you upgrade to a fixed PAN-OS version. This task can be performed through the PAN-OS web interface or through the PAN-OS CLI.Using the Web Interface:\n\n1. Select Monitor > Packet Capture > Captured Files > (Select All) and Delete the files.\n2. Select Yes when prompted by the confirmation dialog.Using the PAN-OS CLI:\n\n1. Enter the following operational command:\n> delete debug-filter file *\u00a0\n\n2. A confirmation prints to the terminal and indicates that all packet capture files were successfully deleted from the firewall:\nsuccessfully removed *"}], "source": {"defect": ["PAN-257442"], "discovery": "INTERNAL"}, "timeline": [{"lang": "en", "time": "2025-04-09T16:00:00.000Z", "value": "Initial Publication"}], "title": "PAN-OS: Information Disclosure Vulnerability in HTTP/2 Packet Captures", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Mitigation: In a Palo Alto Networks firewall, you can configure the decryption profile to <i><b>strip ALPN</b></i> (Application-Layer Protocol Negotiation) from the TLS handshake, which is used to negotiate the application protocol (e.g., HTTP/2 or HTTP/1.1) for the secured connection. When ALPN is absent, the following behaviors can occur:<br><ul><li><b>Firewall behavior</b>\u2014With no ALPN value available, the firewall cannot perform HTTP/2 inspection. It either forces the connection to downgrade to HTTP/1.1 (by letting the client and server negotiate a fallback) or, if that downgrade isn\u2019t possible, it can classify the traffic as <tt>unknown-tcp</tt> and potentially affects your security policy rules and application identification.</li><li><b>Client behavior</b>\u2014Most modern web browsers rely on ALPN to negotiate HTTP/2. If ALPN is missing, the client typically falls back to HTTP/1.1.</li><li><b>Server behavior</b>\u2014If ALPN is absent, the server can assume that the client supports only HTTP/1.1 and downgrades the connection accordingly. If the server enforces HTTP/2-only connections, then it may reject the handshake and cause a connection failure.</li></ul>Consequently, without ALPN, the Palo Alto Networks firewall does not inspect HTTP/2 connections, which prevents decrypted HTTP/2 (clear-text) traffic exposure to firewall administrators.<br><br>You can review how to strip ALPN and disable HTTP/2 inspection for targeted traffic in the <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/http2#:~:text=Disable%20HTTP%2F2%20inspection%20for%20targeted%20traffic.\">App-ID and HTTP/2</a> inspection technical documentation.<br><br>Additional mitigation: The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our <a target=\"_blank\" rel=\"nofollow\" href=\"https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431\">critical deployment guidelines</a>. Specifically, you should restrict management interface access to only trusted internal IP addresses.<br><br>Review information about how to secure management access to your Palo Alto Networks firewalls:<br><ul><li>Palo Alto Networks LIVEcommunity article: <a target=\"_blank\" rel=\"nofollow\" href=\"https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431\">https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-ac...</a></li><li>Palo Alto Networks official and detailed technical documentation:&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices\">https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administr...</a></li></ul>"}], "value": "Mitigation: In a Palo Alto Networks firewall, you can configure the decryption profile to strip ALPN (Application-Layer Protocol Negotiation) from the TLS handshake, which is used to negotiate the application protocol (e.g., HTTP/2 or HTTP/1.1) for the secured connection. When ALPN is absent, the following behaviors can occur:\n * Firewall behavior\u2014With no ALPN value available, the firewall cannot perform HTTP/2 inspection. It either forces the connection to downgrade to HTTP/1.1 (by letting the client and server negotiate a fallback) or, if that downgrade isn\u2019t possible, it can classify the traffic as unknown-tcp and potentially affects your security policy rules and application identification.\n * Client behavior\u2014Most modern web browsers rely on ALPN to negotiate HTTP/2. If ALPN is missing, the client typically falls back to HTTP/1.1.\n * Server behavior\u2014If ALPN is absent, the server can assume that the client supports only HTTP/1.1 and downgrades the connection accordingly. If the server enforces HTTP/2-only connections, then it may reject the handshake and cause a connection failure.\n\n\nConsequently, without ALPN, the Palo Alto Networks firewall does not inspect HTTP/2 connections, which prevents decrypted HTTP/2 (clear-text) traffic exposure to firewall administrators.\n\nYou can review how to strip ALPN and disable HTTP/2 inspection for targeted traffic in the App-ID and HTTP/2 https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/http2#:~:text=Disable%20HTTP%2F2%20inspection%20for%20targeted%20traffic. inspection technical documentation.\n\nAdditional mitigation: The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our critical deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . Specifically, you should restrict management interface access to only trusted internal IP addresses.\n\nReview information about how to secure management access to your Palo Alto Networks firewalls:\n * Palo Alto Networks LIVEcommunity article: https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-ac... https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 \n * Palo Alto Networks official and detailed technical documentation:\u00a0 https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administr... https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-11T18:35:09.452088Z", "id": "CVE-2025-0123", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-11T18:36:46.622Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-0123", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-11T18:35:09.452088Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-11T18:35:20.539Z"}}], "cna": {"title": "PAN-OS: Information Disclosure Vulnerability in HTTP/2 Packet Captures", "source": {"defect": ["PAN-257442"], "discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Saurabh Tripathi of Palo Alto Networks"}], "impacts": [{"capecId": "CAPEC-158", "descriptions": [{"lang": "en", "value": "CAPEC-158: Sniffing Network Traffic"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "AUTOMATIC", "baseScore": 5.9, "Automatable": "NO", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/AU:N/R:A/V:D/RE:M/U:Amber", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "Firewall administrators can see traffic that they should not be able to see, which impacts confidentiality but there is no impact to integrity or availability of that traffic."}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "AUTOMATIC", "baseScore": 0, "Automatable": "NO", "attackVector": "LOCAL", "baseSeverity": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/AU:N/R:A/V:D/U:Clear", "providerUrgency": "CLEAR", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "There is no risk if the firewall is licensed for decryption port mirroring because firewall administrators are already authorized to obtain decrypted packet captures from Palo Alto Networks firewalls."}]}], "affected": [{"vendor": "Palo Alto Networks", "product": "Cloud NGFW", "versions": [{"status": "unaffected", "version": "All", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:o:paloaltonetworks:pan-os:11.2.5:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.2.4:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.2.3:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.6:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.5:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.14:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.13:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.12:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.11:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h11:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h10:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h9:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h8:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h7:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h6:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h5:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h4:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.13:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.12:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.0:*:*:*:*:*:*:*"], "vendor": "Palo Alto Networks", "product": "PAN-OS", "versions": [{"status": "affected", "changes": [{"at": "11.2.6", "status": "unaffected"}], "version": "11.2.0", "lessThan": "11.2.6", "versionType": "custom"}, {"status": "affected", "changes": [{"at": "11.1.8", "status": "unaffected"}], "version": "11.1.0", "lessThan": "11.1.8", "versionType": "custom"}, {"status": "affected", "changes": [{"at": "10.2.15", "status": "unaffected"}], "version": "10.2.0", "lessThan": "10.2.15", "versionType": "custom"}, {"status": "affected", "changes": [{"at": "10.1.14-h13", "status": "unaffected"}], "version": "10.1.0", "lessThan": "10.1.14-h13", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Palo Alto Networks", "product": "Prisma Access", "versions": [{"status": "unaffected", "version": "All", "versionType": "custom"}], "defaultStatus": "unaffected"}], "exploits": [{"lang": "en", "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.", "supportingMedia": [{"type": "text/html", "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.", "base64": false}]}], "timeline": [{"lang": "en", "time": "2025-04-09T16:00:00.000Z", "value": "Initial Publication"}], "solutions": [{"lang": "eng", "value": "This issue is fixed in PAN-OS 10.1.14-h13, PAN-OS 10.2.15, PAN-OS 11.1.8, PAN-OS 11.2.6, and all later PAN-OS versions.\n\nVersion\nMinor Version\nSuggested Solution\nPAN-OS 11.2\n11.2.0 through 11.2.5Upgrade to 11.2.6 or later.\nPAN-OS 11.111.1.0 through 11.1.7\nUpgrade to 11.1.8 or later.PAN-OS 11.0 (EoL)\n\nUpgrade to a supported fixed version.\nPAN-OS 10.2\n10.2.0 through 10.2.14\nUpgrade to 10.2.15 or later.\n\nPAN-OS 10.1\n10.1.0 through 10.1.14-h11\nUpgrade to 10.1.14-h13 or later.\nAll other older\nunsupported\nPAN-OS versions\u00a0Upgrade to a supported fixed version.\nTo fully remediate risk, you must delete all pre-existing packet capture files stored on the firewall after you upgrade to a fixed PAN-OS version. This task can be performed through the PAN-OS web interface or through the PAN-OS CLI.Using the Web Interface:\n\n1. Select Monitor > Packet Capture > Captured Files > (Select All) and Delete the files.\n2. Select Yes when prompted by the confirmation dialog.Using the PAN-OS CLI:\n\n1. Enter the following operational command:\n> delete debug-filter file *\u00a0\n\n2. A confirmation prints to the terminal and indicates that all packet capture files were successfully deleted from the firewall:\nsuccessfully removed *", "supportingMedia": [{"type": "text/html", "value": "This issue is fixed in PAN-OS 10.1.14-h13, PAN-OS 10.2.15, PAN-OS 11.1.8, PAN-OS 11.2.6, and all later PAN-OS versions.<br><br><table class=\"tbl\"><thead><tr><th>Version<br></th><th>Minor Version<br></th><th>Suggested Solution<br></th></tr></thead><tbody><tr><td>PAN-OS 11.2<br></td><td>11.2.0 through 11.2.5</td><td>Upgrade to 11.2.6 or later.<br></td></tr><tr><td>PAN-OS 11.1</td><td>11.1.0 through 11.1.7<br></td><td>Upgrade to 11.1.8 or later.</td></tr><tr><td>PAN-OS 11.0 (EoL)<br></td><td><br></td><td>Upgrade to a supported fixed version.<br></td></tr><tr><td>PAN-OS 10.2<br></td><td>10.2.0 through 10.2.14<br></td><td>Upgrade to 10.2.15 or later.<br><br></td></tr><tr><td>PAN-OS 10.1<br></td><td>10.1.0 through 10.1.14-h11<br></td><td>Upgrade to 10.1.14-h13 or later.<br></td></tr><tr><td>All other older<br>unsupported<br>PAN-OS versions</td><td>&nbsp;</td><td>Upgrade to a supported fixed version.</td></tr></tbody></table><br>To fully remediate risk, you must delete all pre-existing packet capture files stored on the firewall after you upgrade to a fixed PAN-OS version. This task can be performed through the PAN-OS web interface or through the PAN-OS CLI.<p><b>Using the Web Interface:</b></p>1. Select <b>Monitor</b> &gt; <b>Packet Capture</b> &gt; <b>Captured Files</b> &gt; (Select All) and <b>Delete</b> the files.<br>2. Select <b>Yes</b> when prompted by the confirmation dialog.<p><b>Using the PAN-OS CLI:</b></p>1. Enter the following operational command:<br><p><tt>&gt; delete debug-filter file *&nbsp;</tt></p>2. A confirmation prints to the terminal and indicates that all packet capture files were successfully deleted from the firewall:<br><p><tt>successfully removed *&nbsp;</tt></p>", "base64": false}]}], "datePublic": "2025-04-09T16:00:00.000Z", "references": [{"url": "https://security.paloaltonetworks.com/CVE-2025-0123", "tags": ["vendor-advisory"]}], "workarounds": [{"lang": "en", "value": "Mitigation: In a Palo Alto Networks firewall, you can configure the decryption profile to strip ALPN (Application-Layer Protocol Negotiation) from the TLS handshake, which is used to negotiate the application protocol (e.g., HTTP/2 or HTTP/1.1) for the secured connection. When ALPN is absent, the following behaviors can occur:\n * Firewall behavior\u2014With no ALPN value available, the firewall cannot perform HTTP/2 inspection. It either forces the connection to downgrade to HTTP/1.1 (by letting the client and server negotiate a fallback) or, if that downgrade isn\u2019t possible, it can classify the traffic as unknown-tcp and potentially affects your security policy rules and application identification.\n * Client behavior\u2014Most modern web browsers rely on ALPN to negotiate HTTP/2. If ALPN is missing, the client typically falls back to HTTP/1.1.\n * Server behavior\u2014If ALPN is absent, the server can assume that the client supports only HTTP/1.1 and downgrades the connection accordingly. If the server enforces HTTP/2-only connections, then it may reject the handshake and cause a connection failure.\n\n\nConsequently, without ALPN, the Palo Alto Networks firewall does not inspect HTTP/2 connections, which prevents decrypted HTTP/2 (clear-text) traffic exposure to firewall administrators.\n\nYou can review how to strip ALPN and disable HTTP/2 inspection for targeted traffic in the App-ID and HTTP/2 https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/http2#:~:text=Disable%20HTTP%2F2%20inspection%20for%20targeted%20traffic. inspection technical documentation.\n\nAdditional mitigation: The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our critical deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . Specifically, you should restrict management interface access to only trusted internal IP addresses.\n\nReview information about how to secure management access to your Palo Alto Networks firewalls:\n * Palo Alto Networks LIVEcommunity article: https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-ac... https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 \n * Palo Alto Networks official and detailed technical documentation:\u00a0 https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administr... https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices", "supportingMedia": [{"type": "text/html", "value": "Mitigation: In a Palo Alto Networks firewall, you can configure the decryption profile to <i><b>strip ALPN</b></i> (Application-Layer Protocol Negotiation) from the TLS handshake, which is used to negotiate the application protocol (e.g., HTTP/2 or HTTP/1.1) for the secured connection. When ALPN is absent, the following behaviors can occur:<br><ul><li><b>Firewall behavior</b>\u2014With no ALPN value available, the firewall cannot perform HTTP/2 inspection. It either forces the connection to downgrade to HTTP/1.1 (by letting the client and server negotiate a fallback) or, if that downgrade isn\u2019t possible, it can classify the traffic as <tt>unknown-tcp</tt> and potentially affects your security policy rules and application identification.</li><li><b>Client behavior</b>\u2014Most modern web browsers rely on ALPN to negotiate HTTP/2. If ALPN is missing, the client typically falls back to HTTP/1.1.</li><li><b>Server behavior</b>\u2014If ALPN is absent, the server can assume that the client supports only HTTP/1.1 and downgrades the connection accordingly. If the server enforces HTTP/2-only connections, then it may reject the handshake and cause a connection failure.</li></ul>Consequently, without ALPN, the Palo Alto Networks firewall does not inspect HTTP/2 connections, which prevents decrypted HTTP/2 (clear-text) traffic exposure to firewall administrators.<br><br>You can review how to strip ALPN and disable HTTP/2 inspection for targeted traffic in the <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/http2#:~:text=Disable%20HTTP%2F2%20inspection%20for%20targeted%20traffic.\">App-ID and HTTP/2</a> inspection technical documentation.<br><br>Additional mitigation: The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you have not already, we strongly recommend that you secure access to your management interface according to our <a target=\"_blank\" rel=\"nofollow\" href=\"https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431\">critical deployment guidelines</a>. Specifically, you should restrict management interface access to only trusted internal IP addresses.<br><br>Review information about how to secure management access to your Palo Alto Networks firewalls:<br><ul><li>Palo Alto Networks LIVEcommunity article: <a target=\"_blank\" rel=\"nofollow\" href=\"https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431\">https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-ac...</a></li><li>Palo Alto Networks official and detailed technical documentation:&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices\">https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administr...</a></li></ul>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A vulnerability in the Palo Alto Networks PAN-OS\u00ae software enables unlicensed administrators to view clear-text data captured using the packet capture feature https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/take-packet-captures/take-a-custom-packet-capture in decrypted HTTP/2 data streams traversing network interfaces on the firewall. HTTP/1.1 data streams are not impacted.\n\nIn normal conditions, decrypted packet captures are available to firewall administrators after they obtain and install a free Decryption Port Mirror license. The license requirement ensures that this feature can only be used after approved personnel purposefully activate the license. For more information, review how to configure decryption port mirroring https://docs.paloaltonetworks.com/network-security/decryption/administration/monitoring-decryption/configure-decryption-port-mirroring .\n\nThe administrator must obtain network access to the management interface (web, SSH, console, or telnet) and successfully authenticate to exploit this issue. Risk of this issue can be greatly reduced by restricting access to the management interface to only trusted administrators and from only internal IP addresses according to our recommended critical deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .\n\nCustomer firewall administrators do not have access to the packet capture feature in Cloud NGFW. This feature is available only to authorized Palo Alto Networks personnel permitted to perform troubleshooting.\n\nPrisma\u00ae Access is not impacted by this vulnerability.", "supportingMedia": [{"type": "text/html", "value": "A vulnerability in the Palo Alto Networks PAN-OS\u00ae software enables unlicensed administrators to view clear-text data captured using the <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/take-packet-captures/take-a-custom-packet-capture\">packet capture feature</a> in decrypted HTTP/2 data streams traversing network interfaces on the firewall. HTTP/1.1 data streams are not impacted.<br><br>In normal conditions, decrypted packet captures are available to firewall administrators after they obtain and install a free Decryption Port Mirror license. The license requirement ensures that this feature can only be used after approved personnel purposefully activate the license. For more information, review how to <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/network-security/decryption/administration/monitoring-decryption/configure-decryption-port-mirroring\">configure decryption port mirroring</a>.<br><br>The administrator must obtain network access to the management interface (web, SSH, console, or telnet) and successfully authenticate to exploit this issue. Risk of this issue can be greatly reduced by restricting access to the management interface to only trusted administrators and from only internal IP addresses according to our recommended <a target=\"_blank\" rel=\"nofollow\" href=\"https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431\">critical deployment guidelines</a>.<br><br>Customer firewall administrators do not have access to the packet capture feature in Cloud NGFW. This feature is available only to authorized Palo Alto Networks personnel permitted to perform troubleshooting.<br><br>Prisma\u00ae Access is not impacted by this vulnerability.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-312", "description": "CWE-312 Cleartext Storage of Sensitive Information"}]}], "configurations": [{"lang": "en", "value": "This vulnerability requires the following configuration: * An SSL decryption policy matching HTTP/2 data flows tied to a decryption profile without 'Strip ALPN' enabled;\nand\n * Global HTTP/2 inspection enabled.\n\nNote: Global HTTP/2 inspection is enabled by default. The setting to disable it is available only by using the PAN-OS command-line interface (CLI). To verify whether this feature is globally disabled use the following CLI commands:> set cli config-output-format set\n>\u00a0configure \n# show | match\u00a0'http2 enable no'\n\n\u2003\u2003- If there is no output, then http2 inspection is enabled.\n\u2003\u2003- If output shows 'set deviceconfig setting http2 enable no' then http2 traffic is classified as unknown-tcp and is not decrypted by the firewall, which makes clear-text data unreadable in packet captures.", "supportingMedia": [{"type": "text/html", "value": "This vulnerability requires the following configuration:<ol><li>An SSL decryption policy matching HTTP/2 data flows tied to a decryption profile without 'Strip ALPN' enabled;<br>and</li><li>Global HTTP/2 inspection enabled.<br><br>Note: Global HTTP/2 inspection is enabled by default. The setting to disable it is available only by using the PAN-OS command-line interface (CLI). To verify whether this feature is globally disabled use the following CLI commands:<p><tt>&gt; set cli config-output-format set<br>&gt;&nbsp;configure <br># show | match&nbsp;'http2 enable no'</tt></p>\u2003\u2003- If there is no output, then http2 inspection is enabled.<br>\u2003\u2003- If output shows <tt>'set deviceconfig setting http2 enable no'</tt> then http2 traffic is classified as <tt>unknown-tcp</tt> and is not decrypted by the firewall, which makes clear-text data unreadable in packet captures.<br>\u2003\u2003<br></li></ol>", "base64": false}]}], "providerMetadata": {"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto", "dateUpdated": "2025-04-11T17:43:05.126Z"}}}, "cveMetadata": {"cveId": "CVE-2025-0123", "state": "PUBLISHED", "dateUpdated": "2025-04-11T18:36:46.622Z", "dateReserved": "2024-12-20T23:23:24.262Z", "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "datePublished": "2025-04-11T17:43:05.126Z", "assignerShortName": "palo_alto"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the Palo Alto Networks PAN-OS\u00ae software enables unlicensed administrators to view clear-text data captured using the packet capture feature https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/take-packet-captures/take-a-custom-packet-capture in decrypted HTTP/2 data streams traversing network interfaces on the firewall. HTTP/1.1 data streams are not impacted.\n\nIn normal conditions, decrypted packet captures are available to firewall administrators after they obtain and install a free Decryption Port Mirror license. The license requirement ensures that this feature can only be used after approved personnel purposefully activate the license. For more information, review how to configure decryption port mirroring https://docs.paloaltonetworks.com/network-security/decryption/administration/monitoring-decryption/configure-decryption-port-mirroring .\n\nThe administrator must obtain network access to the management interface (web, SSH, console, or telnet) and successfully authenticate to exploit this issue. Risk of this issue can be greatly reduced by restricting access to the management interface to only trusted administrators and from only internal IP addresses according to our recommended critical deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .\n\nCustomer firewall administrators do not have access to the packet capture feature in Cloud NGFW. This feature is available only to authorized Palo Alto Networks personnel permitted to perform troubleshooting.\n\nPrisma\u00ae Access is not impacted by this vulnerability."}], "id": "CVE-2025-0123", "lastModified": "2025-04-15T18:39:43.697", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NO", "Recovery": "AUTOMATIC", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "source": "psirt@paloaltonetworks.com", "type": "Secondary"}]}, "published": "2025-04-11T18:15:38.610", "references": [{"source": "psirt@paloaltonetworks.com", "url": "https://security.paloaltonetworks.com/CVE-2025-0123"}], "sourceIdentifier": "psirt@paloaltonetworks.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-312"}], "source": "psirt@paloaltonetworks.com", "type": "Secondary"}]}

{}