CVE-2025-4235
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/AU:N/R:U/V:D/RE:M/U:Amber
Summary
An information exposure vulnerability in the Palo Alto Networks User-ID Credential Agent (Windows-based) can expose the service account password under specific non-default configurations. This allows an unprivileged Domain User to escalate privileges by exploiting the account’s permissions. The impact varies by configuration:
- Minimally Privileged Accounts: Enable disruption of User-ID Credential Agent operations (e.g., uninstalling or disabling the agent service), weakening network security policies that leverage Credential Phishing Prevention https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-features/credential-phishing-prevention under a Domain Credential Filter https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-features/credential-phishing-prevention/methods-to-check-for-corporate-credential-submissions configuration.
- Elevated Accounts (Server Operator, Domain Join, Legacy Features): Permit increased impacts, including server control (e.g., shutdown/restart), domain manipulation (e.g., rogue computer objects), and network compromise via reconnaissance or client probing.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Palo Alto Networks | User-ID Credential Agent | 11.0.0 < 11.0.2-133 | unaffected |
Weaknesses
- CWE-497: CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere
Workarounds
By default, Domain Users cannot log in to Domain Controllers. However, this can be changed through Group Policy. To reduce privilege escalation risks, review the "Allow log on locally" setting in the Default Domain Controllers Policy and remove any Domain Users listed there. Windows Server 2019 and 2022 path: * Group Policy Management > Domain Controllers > Select GPO (Edit) > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > "Allow log on locally".
Refer to the " Create a Dedicated Service Account for the User-ID Agent https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/create-a-dedicated-service-account-for-the-user-id-agent " and " Configure Credential Detection with the Windows User-ID Agent https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-features/credential-phishing-prevention/configure-credential-detection-with-the-windows-based-user-id-agent " guidelines to ensure service accounts are configured with appropriate permissions and restrictions.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.