CVE-2025-0128
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:C/RE:M/U:Amber
Summary
A denial-of-service (DoS) vulnerability in the Simple Certificate Enrollment Protocol (SCEP) authentication feature of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker to initiate system reboots using a maliciously crafted packet. Repeated attempts to initiate a reboot causes the firewall to enter maintenance mode.
Cloud NGFW is not affected by this vulnerability. Prisma® Access software is proactively patched and protected from this issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Palo Alto Networks | Cloud NGFW | All | unaffected |
| Palo Alto Networks | PAN-OS | 11.2.0 < 11.2.3 | affected |
| Palo Alto Networks | PAN-OS | 11.1.0 < 11.1.5 | affected |
| Palo Alto Networks | PAN-OS | 11.0.0 < 11.0.6 | affected |
| Palo Alto Networks | PAN-OS | 10.2.0 < 10.2.10-h17 | affected |
| Palo Alto Networks | PAN-OS | 10.1.0 < 10.1.14-h11 | affected |
| Palo Alto Networks | Prisma Access | 10.2.0 < 10.2.4-h36 | affected |
| Palo Alto Networks | Prisma Access | 11.2.0 < 11.2.4-h5 | affected |
Weaknesses
- CWE-754: CWE-754 Improper Check for Unusual or Exceptional Conditions
Workarounds
If you are not using SCEP, you can disable it to mitigate this risk by running the following command in your PAN-OS command-line interface (CLI): > debug sslmgr set disable-scep-auth-cookie yes
CAUTION: This workaround is effective only until the next reboot, after which you must rerun this command to stay protected.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.