CVE-2025-0136
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber
Summary
Using the AES-128-CCM algorithm for IPSec on certain Palo Alto Networks PAN-OS® firewalls (PA-7500, PA-5400, PA-5400f, PA-3400, PA-1600, PA-1400, and PA-400 Series) leads to unencrypted data transfer to devices that are connected to the PAN-OS firewall through IPSec.
This issue does not affect Cloud NGFWs, Prisma® Access instances, or PAN-OS VM-Series firewalls.
NOTE: The AES-128-CCM encryption algorithm is not recommended for use.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Palo Alto Networks | Cloud NGFW | All | unaffected |
| Palo Alto Networks | PAN-OS | 11.2.0 | unaffected |
| Palo Alto Networks | PAN-OS | 11.1.0 < 11.1.5 | affected |
| Palo Alto Networks | PAN-OS | 11.0.0 < 11.0.7 | affected |
| Palo Alto Networks | PAN-OS | 10.2.0 < 10.2.11 | affected |
| Palo Alto Networks | PAN-OS | 10.1.0 < 10.1.14-h14 | affected |
| Palo Alto Networks | Prisma Access | All | unaffected |
Weaknesses
- CWE-319: CWE-319 Cleartext Transmission of Sensitive Information
Workarounds
Configure IPSec Crypto encryption to an algorithm that meets current security standards, such as AES-256-GCM or AES-256-CBC, on PA 7500, PA 5400, PA 5400f, PA 3400, PA 1600, PA 1400, and PA 400 series hardware PAN-OS firewalls. For more information on configuring the IPSec Crypto Profiles see our documentation https://docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/set-up-site-to-site-vpn/define-cryptographic-profiles/define-ipsec-crypto-profiles .
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.