[Palo Alto Networks Security Advisories] CVE-2025-0130 PAN-OS: Firewall Denial-of-Service (DoS) in the Web-Proxy Featurevia a Burst of Maliciously Crafted Packets
Palo Alto Networks Security Advisories /CVE-2025-0130
CVE-2025-0130 PAN-OS: Firewall Denial-of-Service (DoS) in the Web-Proxy Feature via a Burst of Maliciously Crafted Packets
Description
A missing exception check in Palo Alto Networks PAN-OS® software with the web proxy feature enabled allows an unauthenticated attacker to send a burst of maliciously crafted packets that causes the firewall to become unresponsive and eventually reboot. Repeated successful attempts to trigger this condition will cause the firewall to enter maintenance mode.
This issue does not affect Cloud NGFW or Prisma Access.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 11.2 | < 11.2.5 | >= 11.2.5 |
| PAN-OS 11.1 | < 11.1.6-h1 < 11.1.7-h2 < 11.1.8 | >= 11.1.6-h1 >= 11.1.7-h2 >= 11.1.8 |
| PAN-OS 10.2 | None | All |
| PAN-OS 10.1 | None | All |
| Prisma Access | None | All |
This issue affects only PAN-OS 11.0 and later PAN-OS versions. PAN-OS 11.0 software is end-of-life (EoL) so we do not intend to fix this issue in this version.
Required Configuration for Exposure
This issue only affects PAN-OS firewalls that have the web proxy feature enabled. This feature is only available on PAN-OS 11.0 and above. Additionally a license is required to use the web proxy feature.
To verify if you have configured web proxy on your PAN-OS device, see our documentation regarding the web proxy feature.
Severity:MEDIUM, Suggested Urgency:MODERATE
CVSS-BT:4.6 /CVSS-B:8.2 (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:C/RE:L/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-754 Improper Check for Unusual or Exceptional Conditions
CAPEC-583 Disabling Network Hardware
Solution
| Version | Minor Version | Suggested Solution |
|---|---|---|
| PAN-OS 11.2 | 11.2.0 through 11.2.4 | Upgrade to 11.2.5 or later. |
| PAN-OS 11.1 | 11.1.0 through 11.1.7 | Upgrade to 11.1.7-h2 or 11.1.8 or later. |
| 11.1.0 through 11.1.6 | Upgrade to 11.1.6-h1 or 11.1.8 or later. | |
| PAN-OS 11.0 (EoL) | Upgrade to a supported fixed version. | |
| PAN-OS 10.2 | No action needed. | |
| PAN-OS 10.1 | No action needed. | |
| All other unsupported PAN-OS versions | Upgrade to a supported fixed version. |
Workarounds and Mitigations
If you are not using the web proxy feature, you can disable it to mitigate this issue. For more information regarding the web proxy feature, see our documentation regarding the web proxy feature.
Acknowledgments
CPEs
cpe:2.3:o:paloaltonetworks:pan-os:11.2.4:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.3:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.6:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.5:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*
Timeline
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
