PAN-OS Firewall DoS Vulnerability Let Attacker Reboot Firewall Repeatedly

A significant denial-of-service vulnerability (CVE-2025-0128) is affecting multiple versions of their PAN-OS firewall software. 

The flaw allows unauthenticated attackers to remotely trigger system reboots using specially crafted packets, potentially forcing devices into maintenance mode through persistent attacks.

A significant vulnerability was identified in Palo Alto Networks’ industry-leading firewall platform’s Simple Certificate Enrollment Protocol (SCEP) authentication feature. 

Tracked as CVE-2025-0128, this flaw received a CVSS score of 6.6 (MEDIUM), though its network-based attack vector and low complexity make it particularly concerning for exposed systems.

PAN-OS Firewall DoS Vulnerability

The vulnerability enables unauthenticated threat actors to initiate system reboots by sending maliciously crafted packets to affected firewalls. 

Repeated exploitation can force devices into maintenance mode, causing extended periods of service unavailability for organizations that rely on these security appliances.

According to the advisory, “A denial-of-service (DoS) vulnerability in the Simple Certificate Enrollment Protocol (SCEP) authentication feature of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker to initiate system reboots using a maliciously crafted packet.”

Security experts have classified this vulnerability under CWE-754 (Improper Check for Unusual or Exceptional Conditions) and CAPEC-153 (Input Data Manipulation), indicating fundamental issues in firewall handling unexpected input conditions.

The attack requires no user interaction and can be fully automated, contributing to its dangerous potential despite the “MEDIUM” severity rating. 

Notably, the vulnerability scores HIGH on availability impact while presenting no direct threats to confidentiality or integrity.

The discovery is credited to security researcher “Abyss Watcher,” highlighting the ongoing collaboration between independent researchers and vendors to identify and address critical infrastructure vulnerabilities before widespread exploitation.

The summary of the vulnerability is given below:

Affected Systems

The vulnerability affects multiple PAN-OS versions, including:

• PAN-OS 11.2 (versions before 11.2.3)
• PAN-OS 11.1 (versions before 11.1.5)
• PAN-OS 11.0 (versions before 11.0.6)
• PAN-OS 10.2 (versions before 10.2.11)
• PAN-OS 10.1 (versions before 10.1.14-h11)

Cloud NGFW remains unaffected, while Prisma Access installations have been proactively patched. Importantly, organizations don’t need to have explicitly configured SCEP to be vulnerable – all unpatched systems are at risk.

Mitigation Strategies

Palo Alto Networks recommends immediate upgrades to patched versions:

• For PAN-OS 11.2: Upgrade to 11.2.3 or later
• For PAN-OS 11.1: Upgrade to 11.1.5 or later
• For PAN-OS 11.0: Upgrade to 11.0.6 or later
• For PAN-OS 10.2: Upgrade to 10.2.11 or later
• For PAN-OS 10.1: Upgrade to 10.1.14-h11 or later

For organizations unable to update immediately, a temporary CLI-based workaround exists. Administrators can run the following command:

Security teams should note this mitigation must be reapplied after any system reboot to maintain protection.

Palo Alto Networks states they are “not aware of any malicious exploitation of this issue” in the wild. However, now that details are public, security teams should assume exploitation attempts will begin shortly.

Network security experts recommend immediate patching as the most effective protection against this threat, particularly for internet-facing firewall deployments with the most significant attack surface.

Application Security is no longer just a defensive play, Time to Secure -> Free Webinar