CVE-2025-0126

Summary

When configured using SAML, a session fixation vulnerability in the GlobalProtect™ login enables an attacker to impersonate a legitimate authorized user and perform actions as that GlobalProtect user. This requires the legitimate user to first click on a malicious link provided by the attacker.

The SAML login for the PAN-OS® management interface is not affected. Additionally, this issue does not affect Cloud NGFW and all Prisma® Access instances are proactively patched.

Affected Software

VendorProductVersion RangeStatus
Palo Alto NetworksCloud NGFWAllunaffected
Palo Alto NetworksPAN-OS11.2.0 < 11.2.3affected
Palo Alto NetworksPAN-OS11.1.0 < 11.1.5affected
Palo Alto NetworksPAN-OS11.0.0 < 11.0.6affected
Palo Alto NetworksPAN-OS10.2.0 < 10.2.10-h6affected
Palo Alto NetworksPAN-OS10.1.0 < 10.1.14-h11affected
Palo Alto NetworksPrisma Access10.2.0 < 10.2.4-h36affected
Palo Alto NetworksPrisma Access11.2.0 < 11.2.4-h5affected

Weaknesses

  • CWE-384: CWE-384 Session Fixation

Workarounds

This issue can be mitigated using a different form of authentication for the GlobalProtect portal (such as Client Certificate Authentication, RADIUS, TACACS+, LDAP, or Kerberos). For more information about configuring authentication for the GlobalProtect portal see this technical documentation https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-web-interface-help/globalprotect/network-globalprotect-portals/globalprotect-portals-authentication-configuration-tab .

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References