[Palo Alto Networks Security Advisories] CVE-2025-4235 User-ID Credential Agent: Cleartext Exposure of Service Accountpassword
Palo Alto Networks Security Advisories /CVE-2025-4235
CVE-2025-4235 User-ID Credential Agent: Cleartext Exposure of Service Account password
Description
An information exposure vulnerability in the Palo Alto Networks User-ID Credential Agent (Windows-based) can expose the service account password under specific non-default configurations. This allows an unprivileged Domain User to escalate privileges by exploiting the account’s permissions. The impact varies by configuration:
- Minimally Privileged Accounts: Enable disruption of User-ID Credential Agent operations (e.g., uninstalling or disabling the agent service), weakening network security policies that leverage Credential Phishing Prevention under a Domain Credential Filter configuration.
- Elevated Accounts (Server Operator, Domain Join, Legacy Features): Permit increased impacts, including server control (e.g., shutdown/restart), domain manipulation (e.g., rogue computer objects), and network compromise via reconnaissance or client probing.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| User-ID Credential Agent 11.0.0 | >= 11.0.2-133 on Windows < 11.0.3 on Windows | < 11.0.2-133 on Windows >= 11.0.3 on Windows |
Severity:MEDIUM, Suggested Urgency:MODERATE
Elevated Service Accounts
MEDIUM– CVSS-BT: 4.2 /CVSS-B: 7.2 (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:U/AU:N/R:U/V:D/RE:M/U:Amber)
Minimally Privileged Service Account
LOW– CVSS-BT: 1.9 /CVSS-B: 5.8 (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere
CAPEC-37: Retrieve Embedded Sensitive Data
Solution
| Version | Minor Version | Suggested Solution |
|---|---|---|
| User-ID Credential Agent 11.0 on Windows | 11.0.2-133 | Upgrade to 11.0.3 or later |
| 11.0.0 through 11.0.1-104 | No action needed. |
Workarounds and Mitigations
- By default, Domain Users cannot log in to Domain Controllers. However, this can be changed through Group Policy. To reduce privilege escalation risks, review the “Allow log on locally” setting in the Default Domain Controllers Policy and remove any Domain Users listed there. Windows Server 2019 and 2022 path:
- Group Policy Management > Domain Controllers > Select GPO (Edit) > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > “Allow log on locally”.
- Group Policy Management > Domain Controllers > Select GPO (Edit) > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > “Allow log on locally”.
- Refer to the “Create a Dedicated Service Account for the User-ID Agent” and “Configure Credential Detection with the Windows User-ID Agent” guidelines to ensure service accounts are configured with appropriate permissions and restrictions.
Acknowledgments
CPE Applicability
Timeline
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
