[Palo Alto Networks Security Advisories] CVE-2025-4229 PAN-OS: Traffic Information Disclosure Vulnerability
Palo Alto Networks Security Advisories /CVE-2025-4229
CVE-2025-4229 PAN-OS: Traffic Information Disclosure Vulnerability
Description
An information disclosure vulnerability in the SD-WAN feature of Palo Alto Networks PAN-OS® software enables an unauthorized user to view sensitive data sent from the firewall through the SD-WAN interface. This requires the user to be able to intercept packets sent from the firewall.
Cloud NGFW and Prisma® Access are not affected by this vulnerability.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 11.2 | < 11.2.7 | >= 11.2.7 [ETA: June 2025] |
| PAN-OS 11.1 | < 11.1.10 | >= 11.1.10 |
| PAN-OS 10.2 | < 10.2.15 | >= 10.2.15 |
| PAN-OS 10.1 | < 10.1.14-h15 | >= 10.1.14-h15 |
| Prisma Access | None | All |
Required Configuration for Exposure
To be vulnerable to this issue, an SD-WAN Interface Profile must be configured on PAN-OS. The interface must also be configured for Direct Internet Access (DIA). Adding an SD-WAN Interface Profile requires the Advanced SD-WAN License.
You can verify whether you configured an SD-WAN Interface Profile by checking for entries in your firewall web interface (Network → Network Profiles → SD-WAN Interface Profile).
To verify if you have Direct Internet Access, see our documentation about configuring Direct Internet Access.
Severity:LOW, Suggested Urgency:MODERATE
CVSS-BT:2.3 /CVSS-B:6.0 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere
CAPEC-37 Retrieve Embedded Sensitive Data
Solution
| Version | Minor Version | Suggested Solution |
|---|---|---|
| Cloud NGFW | No action needed. | |
| PAN-OS 11.2 | 11.2.0 through 11.2.6 | Upgrade to 11.2.7 or later. |
| PAN-OS 11.1 | 11.1.0 through 11.1.9 | Upgrade to 11.1.10 or later. |
| PAN-OS 10.2 | 10.2.0 through 10.2.14 | Upgrade to 10.2.15 or later. |
| PAN-OS 10.1 | 10.1.0 through 10.1.14 | Upgrade to 10.1.14-h15 or later. |
| All older unsupported PAN-OS versions | Upgrade to a supported fixed version. | |
| Prisma Access | No action needed. |
Workarounds and Mitigations
If you are not using the SD-WAN feature of PAN-OS, you can mitigate this issue by disabling the SD-WAN feature. To disable SD-WAN feature, see our documentation about uninstalling SD-WAN plugin.
If you are using the SD-WAN feature but do not need Direct Internet Access, you can mitigate the issue by disabling Direct Internet Access on the SD-WAN Interface Profile by backhauling your internet traffic to SD-WAN hub.
Acknowledgments
CPEs
cpe:2.3:o:palo_alto_networks:pan-os:11.2.6:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.5:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.2:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.1:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.0:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.1.9:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.1.8:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:*:*:*:*:*:*:*
Timeline
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
