[Palo Alto Networks Security Advisories] CVE-2025-2182 PAN-OS: Firewall Clusters using the MACsec Protocol Expose theConnectivity Association Key (CAK)
Palo Alto Networks Security Advisories /CVE-2025-2182
CVE-2025-2182 PAN-OS: Firewall Clusters using the MACsec Protocol Expose the Connectivity Association Key (CAK)
Description
A problem with the implementation of the MACsec protocol in Palo Alto Networks PAN-OS® results in the cleartext exposure of the connectivity association key (CAK). This issue is only applicable to PA-7500 Series devices which are in an NGFW cluster.
A user who possesses this key can read messages being sent between devices in a NGFW Cluster. There is no impact in non-clustered firewalls or clusters of firewalls that do not enable MACsec.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS | None on devices other than PA-7500 | All on devices other than PA-7500 |
| PAN-OS 11.2 | < 11.2.8 on PA-7500 | >= 11.2.8 on PA-7500 |
| PAN-OS 11.1 | < 11.1.10 on PA-7500 | >= 11.1.10 on PA-7500 |
| PAN-OS 10.2 | None on PA-7500 | All on PA-7500 |
| PAN-OS 10.1 | None on PA-7500 | All on PA-7500 |
| Prisma Access | None | All |
Required Configuration for Exposure
The following conditions must be true to be vulnerable to this issue:
Your PA-7500 Series devices must be in an NGFW cluster. For more information regarding NGFW Clusters see our documentation.
A MACsec policy must be configured and enabled for the NGFW cluster. For more information about MACsec profiles please see our documentation.
Severity:LOW, Suggested Urgency:MODERATE
CVSS-BT:3.3 /CVSS-B:6.8 (CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/AU:N/R:A/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-312 Cleartext Storage of Sensitive Information
CAPEC-158 Sniffing Network Traffic
Solution
| Version | Minor Version | Suggested Solution |
|---|---|---|
| Cloud NGFW | No action needed. | |
| PAN-OS 11.2 on PA-7500 | 11.2.0 through 11.2.7 | Upgrade to 11.2.8 or later. |
| PAN-OS 11.1 on PA-7500 | 11.1.0 through 11.1.9 | Upgrade to 11.1.10 or later. |
| PAN-OS 10.2 on PA-7500 | No action needed. | |
| PAN-OS 10.1 on PA-7500 | No action needed. | |
| PAN-OS on devices other than PA-7500 | No action needed. | |
| All older unsupported PAN-OS versions | Upgrade to a supported fixed version. | |
| Prisma Access | No action needed. |
Workarounds and Mitigations
No known workarounds exist for this issue.
Acknowledgments
CPEs
cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.6:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.5:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.2:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.1:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.0:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.1.9:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.1.8:*:*:*:*:*:PA-7500:*
CPE Applicability
- cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:PA-7500:*:* is vulnerable from (including)11.2.0 and up to (excluding)11.2.8
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:PA-7500:*:* is vulnerable from (including)11.1.0 and up to (excluding)11.1.10
Timeline
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
