[Palo Alto Networks Security Advisories] CVE-2025-2181 Checkov by Prisma Cloud: Cleartext Exposure of Credentials

Palo Alto Networks Security Advisories /CVE-2025-2181

CVE-2025-2181 Checkov by Prisma Cloud: Cleartext Exposure of Credentials

UrgencyMODERATE

Severity2 ·LOW

Exploit MaturityUNREPORTED

Response EffortMODERATE

RecoveryUSER

Value DensityDIFFUSE

Attack VectorNETWORK

Attack ComplexityLOW

Attack RequirementsPRESENT

AutomatableNO

User InteractionACTIVE

Product ConfidentialityHIGH

Product IntegrityNONE

Product AvailabilityNONE

Privileges RequiredNONE

Subsequent ConfidentialityLOW

Subsequent IntegrityLOW

Subsequent AvailabilityLOW

CVE JSON CSAF

Published2025-08-13

Updated2025-08-13

ReferenceBCE-42897

Discoveredexternally

Description

A sensitive information disclosure vulnerability in Palo Alto Networks Checkov by Prisma® Cloud can result in the cleartext exposure of Prisma Cloud access keys in Checkov’s output.

Product Status

Versions	Affected	Unaffected
Checkov by Prisma Cloud 3.2.0	< 3.2.449	>= 3.2.449

Required Configuration for Exposure

No special configuration is required to be affected by this issue.

Severity:LOW, Suggested Urgency:MODERATE

Attacker finds a Prisma Cloud access key in a Checkov output file that a user uploaded to an insecure location.
LOW– CVSS-BT: 2.0 /CVSS-B: 5.9 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L/E:U/AU:N/R:U/V:D/RE:M/U:Amber)

Attacker gains access to a system and then finds a Checkov output file that contains an exposed Prisma Cloud access key.
LOW– CVSS-BT: 1.7 /CVSS-B: 5.1 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L/E:U/AU:N/R:U/V:D/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type and Impact

CWE-312 Cleartext Storage of Sensitive Information

CAPEC-37 Retrieve Embedded Sensitive Data

Solution

Version	Minor Version	Suggested Solution
Checkov by Prisma Cloud 3.2	3.2.0 through 3.2.448	Upgrade to 3.2.449 or later.

Checkov integration in Prisma Cloud is upgraded automatically when new versions become available. All Prisma Cloud access keys used by Checkov should be rotated after upgrading to a fixed version (this step is recommended for all modes of using Checkov).

Workarounds and Mitigations

No known workarounds exist for this issue.

Acknowledgments

Palo Alto Networks thanks Shashank Chaurasia for discovering and reporting this issue.

CPE Applicability

cpe:2.3:a:palo_alto_networks:checkov_by_prisma_cloud:*:*:*:*:*:*:*:* is vulnerable from (including)3.2.0 and up to (excluding)3.2.449

Timeline

2025-08-13Initial Publication

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: CVE, OSINT, threatintel

[Palo Alto Networks Security Advisories] CVE-2025-2181 Checkov by Prisma Cloud: Cleartext Exposure of Credentials