CVE-2025-0130

Summary

A missing exception check in Palo Alto Networks PAN-OS® software with the web proxy feature enabled allows an unauthenticated attacker to send a burst of maliciously crafted packets that causes the firewall to become unresponsive and eventually reboot. Repeated successful attempts to trigger this condition will cause the firewall to enter maintenance mode.

This issue does not affect Cloud NGFW or Prisma Access.

Affected Software

VendorProductVersion RangeStatus
Palo Alto NetworksCloud NGFWAllunaffected
Palo Alto NetworksPAN-OS11.2.0 < 11.2.5affected
Palo Alto NetworksPAN-OS11.1.0 < 11.1.6-h1affected
Palo Alto NetworksPAN-OS10.2.0unaffected
Palo Alto NetworksPAN-OS10.1.0unaffected
Palo Alto NetworksPrisma AccessAllunaffected

Weaknesses

  • CWE-754: CWE-754 Improper Check for Unusual or Exceptional Conditions

Workarounds

If you are not using the web proxy feature, you can disable it to mitigate this issue. For more information regarding the web proxy feature, see our documentation regarding the web proxy feature https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxyhttps:// .

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References