A newly disclosed vulnerability in the Palo Alto Networks User-ID Credential Agent on Windows systems allows service account passwords to be exposed in cleartext under certain non-default configurations.
Tracked as CVE-2025-4235, the flaw carries a CVSS base score of 4.2 (Medium) and has been assigned a Moderate urgency level.
Palo Alto Networks released details and guidance on September 10, 2025, advising users to upgrade or apply mitigations to avoid potential privilege escalation and service disruption.
Overview of the Vulnerability
The User-ID Credential Agent collects and manages service account credentials to integrate Active Directory user mappings into firewall policies.
Under specific custom configurations, an unprivileged domain user can retrieve the service account password in cleartext directly from the agent’s files or memory.
| Field | Description |
| CVE Identifier | CVE-2025-4235 |
| Severity | 4.2 (Medium) |
| Urgency | Moderate |
Successful exploitation can enable an attacker to uninstall or disable the agent service, compromise network security policies relying on credential filters, or further escalate privileges depending on account rights.
The flaw affects all versions of the User-ID Credential Agent prior to 11.0.3 on Windows. Versions from 11.0.2-133 to less than 11.0.3 on Windows and versions older than 11.0.2-133 are impacted.
Palo Alto Networks assigns elevated risk when the service account holds roles such as Server Operator or Domain Join, where an attacker could leverage the cleartext credentials to control servers, create rogue computer objects, or perform network reconnaissance.
Exploitation of CVE-2025-4235 can result in varying levels of impact:
- Minimally privileged accounts can disrupt credential agent operations, potentially disabling phishing prevention and weakening URL filtering policies.
- Elevated service accounts can grant an attacker control over domain controllers, allowing shutdown, restart, and domain manipulation.
- Network policy enforcement may be bypassed or degraded, leading to increased exposure to lateral movement and reconnaissance activities.
No reports exist of active exploits in the wild, and exploit maturity remains unreported.
However, the local-only attack vector combined with low complexity and no required user interaction makes this flaw attractive for internal threat actors or compromised hosts.
Recovery requires manual user-level actions on affected systems, and automated exploit tools are unlikely given the need for local access.
Mitigation and Recommended Actions
Palo Alto Networks recommends the following steps to address CVE-2025-4235:
Upgrade Path
- Systems running User-ID Credential Agent 11.0.0 through 11.0.1-104 require no action, as these versions do not include the vulnerable code.
- Agents at version 11.0.0 should be updated to 11.0.3 or later on Windows.
- Agents at version 11.0.2-133 should also be upgraded to 11.0.3 or later.
By applying the upgrade or hardening measures above, organizations can eliminate the cleartext password exposure and maintain the integrity of Active Directory integration with firewall policies.
Continuous review of service account permissions and adherence to least-privilege principles will further reduce the risk of privilege escalation through this and similar vulnerabilities.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
