CVE-2025-0128

Summary

A denial-of-service (DoS) vulnerability in the Simple Certificate Enrollment Protocol (SCEP) authentication feature of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker to initiate system reboots using a maliciously crafted packet. Repeated attempts to initiate a reboot causes the firewall to enter maintenance mode.

Cloud NGFW is not affected by this vulnerability. Prisma® Access software is proactively patched and protected from this issue.

Affected Software

VendorProductVersion RangeStatus
Palo Alto NetworksCloud NGFWAllunaffected
Palo Alto NetworksPAN-OS11.2.0 < 11.2.3affected
Palo Alto NetworksPAN-OS11.1.0 < 11.1.5affected
Palo Alto NetworksPAN-OS11.0.0 < 11.0.6affected
Palo Alto NetworksPAN-OS10.2.0 < 10.2.10-h17affected
Palo Alto NetworksPAN-OS10.1.0 < 10.1.14-h11affected
Palo Alto NetworksPrisma Access10.2.0 < 10.2.4-h36affected
Palo Alto NetworksPrisma Access11.2.0 < 11.2.4-h5affected

Weaknesses

  • CWE-754: CWE-754 Improper Check for Unusual or Exceptional Conditions

Workarounds

If you are not using SCEP, you can disable it to mitigate this risk by running the following command in your PAN-OS command-line interface (CLI): > debug sslmgr set disable-scep-auth-cookie yes

CAUTION: This workaround is effective only until the next reboot, after which you must rerun this command to stay protected.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References