{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-0128", "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "state": "PUBLISHED", "assignerShortName": "palo_alto", "dateReserved": "2024-12-20T23:23:28.952Z", "datePublished": "2025-04-11T02:03:22.355Z", "dateUpdated": "2025-04-11T16:01:46.600Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["PAN-OS"], "product": "Cloud NGFW", "vendor": "Palo Alto Networks", "versions": [{"status": "unaffected", "version": "All", "versionType": "custom"}]}, {"cpes": ["cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.5:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h14:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h13:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h12:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h11:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h10:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h9:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h8:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h7:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h6:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h5:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h4:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h32:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h31:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h30:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h29:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h28:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h27:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h26:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h25:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h24:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h23:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h22:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h21:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h20:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h19:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h18:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h17:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h16:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h15:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h14:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h13:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h12:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h11:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h10:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h9:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h8:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h7:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h6:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h5:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h4:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h10:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h9:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h8:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h7:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h6:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h5:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h4:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.13:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.12:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.0:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "product": "PAN-OS", "vendor": "Palo Alto Networks", "versions": [{"changes": [{"at": "11.2.3", "status": "unaffected"}], "lessThan": "11.2.3", "status": "affected", "version": "11.2.0", "versionType": "custom"}, {"changes": [{"at": "11.1.5", "status": "unaffected"}], "lessThan": "11.1.5", "status": "affected", "version": "11.1.0", "versionType": "custom"}, {"changes": [{"at": "11.0.6", "status": "unaffected"}], "lessThan": "11.0.6", "status": "affected", "version": "11.0.0", "versionType": "custom"}, {"changes": [{"at": "10.2.10-h17", "status": "unaffected"}], "lessThan": "10.2.10-h17", "status": "affected", "version": "10.2.0", "versionType": "custom"}, {"changes": [{"at": "10.1.14-h11", "status": "unaffected"}], "lessThan": "10.1.14-h11", "status": "affected", "version": "10.1.0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "platforms": ["PAN-OS"], "product": "Prisma Access", "vendor": "Palo Alto Networks", "versions": [{"changes": [{"at": "10.2.10-h17", "status": "unaffected"}, {"at": "10.2.4-h36", "status": "unaffected"}], "lessThan": "10.2.4-h36", "status": "affected", "version": "10.2.0", "versionType": "custom"}, {"lessThan": "11.2.4-h5", "status": "affected", "version": "11.2.0", "versionType": "custom"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "NOTE: You do not need to have explicitly configured SCEP on your firewall to be at risk. Firewalls for which you do not apply the explicit mitigation for this issue are affected."}], "value": "NOTE: You do not need to have explicitly configured SCEP on your firewall to be at risk. Firewalls for which you do not apply the explicit mitigation for this issue are affected."}], "credits": [{"lang": "en", "type": "finder", "value": "Abyss Watcher"}], "datePublic": "2025-04-09T16:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A denial-of-service (DoS) vulnerability in the Simple Certificate Enrollment Protocol (SCEP) authentication feature of Palo Alto Networks PAN-OS\u00ae software enables an unauthenticated attacker to initiate system reboots using a maliciously crafted packet. Repeated attempts to initiate a reboot causes the firewall to enter maintenance mode.<br><br>Cloud NGFW is not affected by this vulnerability. Prisma\u00ae Access software is proactively patched and protected from this issue.</p>"}], "value": "A denial-of-service (DoS) vulnerability in the Simple Certificate Enrollment Protocol (SCEP) authentication feature of Palo Alto Networks PAN-OS\u00ae software enables an unauthenticated attacker to initiate system reboots using a maliciously crafted packet. Repeated attempts to initiate a reboot causes the firewall to enter maintenance mode.\n\nCloud NGFW is not affected by this vulnerability. Prisma\u00ae Access software is proactively patched and protected from this issue."}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."}], "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:C/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "A user sends a malicious crafted packet through the firewall, which processes a malicious packet that causes this issue."}]}, {"cvssV4_0": {"Automatable": "YES", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "AMBER", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/R:U/V:C/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "For Prisma Access, this issue can only be initiated by authenticated end users that use a maliciously crafted packet."}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-754", "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto", "dateUpdated": "2025-04-11T02:03:22.355Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://security.paloaltonetworks.com/CVE-2025-0128"}], "solutions": [{"lang": "eng", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<table class=\"tbl\"><thead><tr><th>Version<br></th><th>Minor Version<br></th><th>Suggested Solution<br></th></tr></thead><tbody><tr><td>PAN-OS 11.2<br></td><td>11.2.0 through 11.2.2</td><td>Upgrade to 11.2.3 or later<br></td></tr><tr><td>PAN-OS 11.1</td><td>11.1.0 through 11.1.4<br></td><td>Upgrade to 11.1.5 or later</td></tr><tr><td>PAN-OS 11.0<br></td><td>11.0.0 through 11.0.5<br></td><td>Upgrade to 11.0.6 or later<br></td></tr><tr><td>PAN-OS 10.2<br></td><td>10.2.0 through 10.2.10</td><td>Upgrade to 10.2.11 or later</td></tr><tr><td>PAN-OS 10.1<br></td><td>10.1.0 through 10.1.14<br></td><td>Upgrade to 10.1.14-h11 or later<br></td></tr><tr><td>All other older<br>unsupported<br>PAN-OS versions</td><td>&nbsp;</td><td>Upgrade to a supported fixed version.</td></tr></tbody></table><br>PAN-OS 11.0 is EoL. We listed it in this section for completeness because we added a patch for PAN-OS 11.0 before it reached EoL. If you are running PAN-OS 11.0 in any of your firewalls, we strongly recommend that you upgrade to a fixed supported version.<br><br>We proactively initiated the upgrade through Prisma Access March 21, 2025, to cover all tenants."}], "value": "Version\nMinor Version\nSuggested Solution\nPAN-OS 11.2\n11.2.0 through 11.2.2Upgrade to 11.2.3 or later\nPAN-OS 11.111.1.0 through 11.1.4\nUpgrade to 11.1.5 or laterPAN-OS 11.0\n11.0.0 through 11.0.5\nUpgrade to 11.0.6 or later\nPAN-OS 10.2\n10.2.0 through 10.2.10Upgrade to 10.2.11 or laterPAN-OS 10.1\n10.1.0 through 10.1.14\nUpgrade to 10.1.14-h11 or later\nAll other older\nunsupported\nPAN-OS versions\u00a0Upgrade to a supported fixed version.\nPAN-OS 11.0 is EoL. We listed it in this section for completeness because we added a patch for PAN-OS 11.0 before it reached EoL. If you are running PAN-OS 11.0 in any of your firewalls, we strongly recommend that you upgrade to a fixed supported version.\n\nWe proactively initiated the upgrade through Prisma Access March 21, 2025, to cover all tenants."}], "source": {"defect": ["PAN-255859"], "discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2025-04-09T16:00:00.000Z", "value": "Initial Publication"}], "title": "PAN-OS: Firewall Denial of Service (DoS) Using a Specially Crafted Packet", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "If you are not using SCEP, you can disable it to mitigate this risk by running the following command in your PAN-OS command-line interface (CLI):<br><tt></tt><p><tt><tt>&gt; debug sslmgr set disable-scep-auth-cookie yes</tt></tt></p>CAUTION: This workaround is effective only until the next reboot, after which you must rerun this command to stay protected."}], "value": "If you are not using SCEP, you can disable it to mitigate this risk by running the following command in your PAN-OS command-line interface (CLI):\n> debug sslmgr set disable-scep-auth-cookie yes\n\nCAUTION: This workaround is effective only until the next reboot, after which you must rerun this command to stay protected."}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-11T15:10:28.623543Z", "id": "CVE-2025-0128", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-11T16:01:46.600Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-0128", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-11T15:10:28.623543Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-11T15:13:34.350Z"}}], "cna": {"title": "PAN-OS: Firewall Denial of Service (DoS) Using a Specially Crafted Packet", "source": {"defect": ["PAN-255859"], "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Abyss Watcher"}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "USER", "baseScore": 8.7, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:C/RE:M/U:Amber", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "A user sends a malicious crafted packet through the firewall, which processes a malicious packet that causes this issue."}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "USER", "baseScore": 5.3, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/AU:Y/R:U/V:C/RE:M/U:Amber", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "For Prisma Access, this issue can only be initiated by authenticated end users that use a maliciously crafted packet."}]}], "affected": [{"vendor": "Palo Alto Networks", "product": "Cloud NGFW", "versions": [{"status": "unaffected", "version": "All", "versionType": "custom"}], "platforms": ["PAN-OS"], "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.5:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h14:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h13:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h12:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h11:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h10:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h9:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h8:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h7:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h6:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h5:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h4:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h32:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h31:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h30:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h29:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h28:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h27:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h26:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h25:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h24:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h23:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h22:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h21:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h20:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h19:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h18:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h17:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h16:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h15:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h14:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h13:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h12:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h11:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h10:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h9:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h8:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h7:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h6:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h5:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h4:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h10:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h9:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h8:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h7:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h6:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h5:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h4:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.13:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.12:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.1.0:*:*:*:*:*:*:*"], "vendor": "Palo Alto Networks", "product": "PAN-OS", "versions": [{"status": "affected", "changes": [{"at": "11.2.3", "status": "unaffected"}], "version": "11.2.0", "lessThan": "11.2.3", "versionType": "custom"}, {"status": "affected", "changes": [{"at": "11.1.5", "status": "unaffected"}], "version": "11.1.0", "lessThan": "11.1.5", "versionType": "custom"}, {"status": "affected", "changes": [{"at": "11.0.6", "status": "unaffected"}], "version": "11.0.0", "lessThan": "11.0.6", "versionType": "custom"}, {"status": "affected", "changes": [{"at": "10.2.10-h17", "status": "unaffected"}], "version": "10.2.0", "lessThan": "10.2.10-h17", "versionType": "custom"}, {"status": "affected", "changes": [{"at": "10.1.14-h11", "status": "unaffected"}], "version": "10.1.0", "lessThan": "10.1.14-h11", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Palo Alto Networks", "product": "Prisma Access", "versions": [{"status": "affected", "changes": [{"at": "10.2.10-h17", "status": "unaffected"}, {"at": "10.2.4-h36", "status": "unaffected"}], "version": "10.2.0", "lessThan": "10.2.4-h36", "versionType": "custom"}, {"status": "affected", "version": "11.2.0", "lessThan": "11.2.4-h5", "versionType": "custom"}], "platforms": ["PAN-OS"], "defaultStatus": "unaffected"}], "exploits": [{"lang": "en", "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.", "supportingMedia": [{"type": "text/html", "value": "Palo Alto Networks is not aware of any malicious exploitation of this issue.", "base64": false}]}], "timeline": [{"lang": "en", "time": "2025-04-09T16:00:00.000Z", "value": "Initial Publication"}], "solutions": [{"lang": "eng", "value": "Version\nMinor Version\nSuggested Solution\nPAN-OS 11.2\n11.2.0 through 11.2.2Upgrade to 11.2.3 or later\nPAN-OS 11.111.1.0 through 11.1.4\nUpgrade to 11.1.5 or laterPAN-OS 11.0\n11.0.0 through 11.0.5\nUpgrade to 11.0.6 or later\nPAN-OS 10.2\n10.2.0 through 10.2.10Upgrade to 10.2.11 or laterPAN-OS 10.1\n10.1.0 through 10.1.14\nUpgrade to 10.1.14-h11 or later\nAll other older\nunsupported\nPAN-OS versions\u00a0Upgrade to a supported fixed version.\nPAN-OS 11.0 is EoL. We listed it in this section for completeness because we added a patch for PAN-OS 11.0 before it reached EoL. If you are running PAN-OS 11.0 in any of your firewalls, we strongly recommend that you upgrade to a fixed supported version.\n\nWe proactively initiated the upgrade through Prisma Access March 21, 2025, to cover all tenants.", "supportingMedia": [{"type": "text/html", "value": "<table class=\"tbl\"><thead><tr><th>Version<br></th><th>Minor Version<br></th><th>Suggested Solution<br></th></tr></thead><tbody><tr><td>PAN-OS 11.2<br></td><td>11.2.0 through 11.2.2</td><td>Upgrade to 11.2.3 or later<br></td></tr><tr><td>PAN-OS 11.1</td><td>11.1.0 through 11.1.4<br></td><td>Upgrade to 11.1.5 or later</td></tr><tr><td>PAN-OS 11.0<br></td><td>11.0.0 through 11.0.5<br></td><td>Upgrade to 11.0.6 or later<br></td></tr><tr><td>PAN-OS 10.2<br></td><td>10.2.0 through 10.2.10</td><td>Upgrade to 10.2.11 or later</td></tr><tr><td>PAN-OS 10.1<br></td><td>10.1.0 through 10.1.14<br></td><td>Upgrade to 10.1.14-h11 or later<br></td></tr><tr><td>All other older<br>unsupported<br>PAN-OS versions</td><td>&nbsp;</td><td>Upgrade to a supported fixed version.</td></tr></tbody></table><br>PAN-OS 11.0 is EoL. We listed it in this section for completeness because we added a patch for PAN-OS 11.0 before it reached EoL. If you are running PAN-OS 11.0 in any of your firewalls, we strongly recommend that you upgrade to a fixed supported version.<br><br>We proactively initiated the upgrade through Prisma Access March 21, 2025, to cover all tenants.", "base64": false}]}], "datePublic": "2025-04-09T16:00:00.000Z", "references": [{"url": "https://security.paloaltonetworks.com/CVE-2025-0128", "tags": ["vendor-advisory"]}], "workarounds": [{"lang": "en", "value": "If you are not using SCEP, you can disable it to mitigate this risk by running the following command in your PAN-OS command-line interface (CLI):\n> debug sslmgr set disable-scep-auth-cookie yes\n\nCAUTION: This workaround is effective only until the next reboot, after which you must rerun this command to stay protected.", "supportingMedia": [{"type": "text/html", "value": "If you are not using SCEP, you can disable it to mitigate this risk by running the following command in your PAN-OS command-line interface (CLI):<br><tt></tt><p><tt><tt>&gt; debug sslmgr set disable-scep-auth-cookie yes</tt></tt></p>CAUTION: This workaround is effective only until the next reboot, after which you must rerun this command to stay protected.", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A denial-of-service (DoS) vulnerability in the Simple Certificate Enrollment Protocol (SCEP) authentication feature of Palo Alto Networks PAN-OS\u00ae software enables an unauthenticated attacker to initiate system reboots using a maliciously crafted packet. Repeated attempts to initiate a reboot causes the firewall to enter maintenance mode.\n\nCloud NGFW is not affected by this vulnerability. Prisma\u00ae Access software is proactively patched and protected from this issue.", "supportingMedia": [{"type": "text/html", "value": "<p>A denial-of-service (DoS) vulnerability in the Simple Certificate Enrollment Protocol (SCEP) authentication feature of Palo Alto Networks PAN-OS\u00ae software enables an unauthenticated attacker to initiate system reboots using a maliciously crafted packet. Repeated attempts to initiate a reboot causes the firewall to enter maintenance mode.<br><br>Cloud NGFW is not affected by this vulnerability. Prisma\u00ae Access software is proactively patched and protected from this issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-754", "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions"}]}], "configurations": [{"lang": "en", "value": "NOTE: You do not need to have explicitly configured SCEP on your firewall to be at risk. Firewalls for which you do not apply the explicit mitigation for this issue are affected.", "supportingMedia": [{"type": "text/html", "value": "NOTE: You do not need to have explicitly configured SCEP on your firewall to be at risk. Firewalls for which you do not apply the explicit mitigation for this issue are affected.", "base64": false}]}], "providerMetadata": {"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto", "dateUpdated": "2025-04-11T02:03:22.355Z"}}}, "cveMetadata": {"cveId": "CVE-2025-0128", "state": "PUBLISHED", "dateUpdated": "2025-04-11T16:01:46.600Z", "dateReserved": "2024-12-20T23:23:28.952Z", "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "datePublished": "2025-04-11T02:03:22.355Z", "assignerShortName": "palo_alto"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A denial-of-service (DoS) vulnerability in the Simple Certificate Enrollment Protocol (SCEP) authentication feature of Palo Alto Networks PAN-OS\u00ae software enables an unauthenticated attacker to initiate system reboots using a maliciously crafted packet. Repeated attempts to initiate a reboot causes the firewall to enter maintenance mode.\n\nCloud NGFW is not affected by this vulnerability. Prisma\u00ae Access software is proactively patched and protected from this issue."}, {"lang": "es", "value": "Una vulnerabilidad de denegaci\u00f3n de servicio (DoS) en la funci\u00f3n de autenticaci\u00f3n del Protocolo simple de inscripci\u00f3n de certificados (SCEP) del software PAN-OS\u00ae de Palo Alto Networks permite que un atacante no autenticado inicie reinicios del sistema utilizando un paquete manipulado maliciosamente. Los intentos repetidos de iniciar un reinicio hacen que el firewall entre en modo de mantenimiento. Cloud NGFW no se ve afectado por esta vulnerabilidad. El software Prisma\u00ae Access est\u00e1 parcheado y protegido de forma proactiva contra este problema."}], "id": "CVE-2025-0128", "lastModified": "2025-04-11T15:39:52.920", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "source": "psirt@paloaltonetworks.com", "type": "Secondary"}]}, "published": "2025-04-11T02:15:19.253", "references": [{"source": "psirt@paloaltonetworks.com", "url": "https://security.paloaltonetworks.com/CVE-2025-0128"}], "sourceIdentifier": "psirt@paloaltonetworks.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-754"}], "source": "psirt@paloaltonetworks.com", "type": "Secondary"}]}

{}