PAN-OS DoS Vulnerability Allows Attackers to Force Repeated Firewall Reboots
A newly disclosed denial-of-service (DoS) vulnerability in Palo Alto Networks’ PAN-OS software enables attackers to force firewalls into repeated reboots using maliciously crafted packets.
Tracked as CVE-2025-0128, the flaw impacts SCEP (Simple Certificate Enrollment Protocol) authentication and poses significant risks to unpatched systems.
The vulnerability, CVE-2025-0128, enables unauthenticated attackers to disrupt network operations by sending a single malicious packet, triggering repeated firewall reboots.
.png
"PAN-OS DoS Vulnerability Allows Attackers to Force Repeated Firewall Reboots 2")
These attacks force firewalls into maintenance mode, significantly impacting network availability and creating potential downtime for critical systems.
Palo Alto Networks has rated the severity of this issue as 6.6 (MEDIUM) on the CVSS v4.0 scale, with an 8.7 Base Score for unpatched PAN-OS systems.
Immediate mitigation and upgrades are essential to minimize the risk of exploitation. The vulnerability stems from improper checks in SCEP authentication handling.
Attackers exploiting this flaw bypass standard security controls, causing the firewall’s management plane to crash and reboot.
Systems not explicitly configured to use SCEP remain vulnerable, requiring immediate mitigation.
Affected Products
| Component | Affected Versions | Unaffected/Fixed Versions |
| PAN-OS 11.2 | < 11.2.3 | ≥ 11.2.3 |
| PAN-OS 11.1 | < 11.1.5 | ≥ 11.1.5 |
| PAN-OS 10.2 | < 10.2.11 | ≥ 10.2.11 |
| Prisma Access | < 10.2.4-h36, < 10.2.10-h16, < 11.2.4-h5 | ≥ 10.2.4-h36, ≥ 10.2.10-h16, ≥ 11.2.4-h5 |
| EoL Versions | PAN-OS 11.0, 10.0, 9.1, 9.0, and earlier | Presumed vulnerable (no fixes planned) |
Cloud NGFW and proactively updated Prisma Access tenants are not impacted.
Mitigation and Solutions
Palo Alto Networks recommends the following actions:
1. Immediate Upgrades
| PAN-OS Version | Fixed Version |
| 11.2.x | Upgrade to 11.2.3+ |
| 11.1.x | Upgrade to 11.1.5+ |
| 10.2.x | Upgrade to 10.2.11+ |
2. Workaround
Disable SCEP authentication via CLI for temporary protection:
> debug sslmgr set disable-scep-auth-cookie yes 3. Prisma Access
Tenants have been automatically protected since March 21, 2025.
Vulnerability Summary Table
| Metric | Details |
| CVE ID | CVE-2025-0128 |
| CVSS v4.0 Score | 6.6 (MEDIUM) / 8.7 (Base) |
| Exploit Maturity | Unreported |
| Attack Complexity | Low (No prerequisites) |
| Impact | High Availability Loss |
| Automatable | Yes |
| Public Exploits | None observed as of April 10, 2025 |
While no active exploitation has been reported, Palo Alto Networks classifies this vulnerability as having MODERATE urgency due to its potential to disrupt critical services.
Administrators should prioritize patching, especially for firewalls exposed to untrusted networks.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
