Palo Alto Networks has disclosed a critical denial-of-service vulnerability in its PAN-OS firewall software that allows unauthenticated attackers to remotely reboot firewalls by sending specially crafted packets.
Tracked as CVE-2025-4619, the vulnerability poses significant risks to organizations relying on Palo Alto firewalls for network security.
The flaw, identified as CWE-754 (Improper Check for Unusual or Exceptional Conditions), exists in the PAN-OS software dataplane.
Attackers can exploit this vulnerability without authentication, credentials, or user interaction. When successful, the malicious packet triggers an unexpected reboot of the firewall.
More concerning, repeated exploitation attempts can force the firewall into maintenance mode. Severely interrupting network operations and potentially leaving organizations exposed to threats during downtime.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2025-4619 |
| Reference | PAN-247099 |
| Vulnerability Type | Denial of Service (DoS) |
| Weakness | CWE-754: Improper Check for Unusual or Exceptional Conditions |
| CVSS v4.0 Score | 6.6 (MEDIUM) |
| CVSS-B Score | 8.7 |
Palo Alto Networks assigned the vulnerability a CVSS 4.0 score of 6.6, rating it as MEDIUM severity with MODERATE urgency.
However, the CVSS-B score reaches 8.7, reflecting the potential business impact. The attack vector is network-based and low-complexity.
The vulnerability directly affects product availability, highlighting its potential to interrupt critical network infrastructure.
PA-Series, VM-Series, and Prisma Access Deployments
The vulnerability affects PA-Series firewalls, VM-Series firewalls, and Prisma Access deployments that are running vulnerable versions of PAN-OS. Cloud NGFW is not impacted.
Vulnerable versions include PAN-OS 10.2 (through 10.2.13), 11.1 (through 11.1.6), and 11.2 (through 11.2.4). PAN-OS 12.1 and 10.1 are unaffected.
Importantly, exploitation requires a specific configuration: the firewall must have a URL proxy or a decrypt policy enabled; even with explicit no-decrypt policies, the vulnerability may be exploitable.
Palo Alto Networks recommends upgrading to patched versions. For PAN-OS 11.2. Organizations should update to 11.2.5 or later.
For 11.1, upgrade to 11.1.7. PAN-OS 10.2 users should patch to 10.2.14 or apply the appropriate urgency, depending on their current version. The company reports that no known workarounds currently exist.
Currently, Palo Alto Networks has not identified any active malicious exploitation of this vulnerability. Administrators should prioritize patching given the ease of exploitation and potential operational impact.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
