[Palo Alto Networks Security Advisories] CVE-2025-4614 PAN-OS: Session Token Disclosure Vulnerability
Palo Alto Networks Security Advisories /CVE-2025-4614
CVE-2025-4614 PAN-OS: Session Token Disclosure Vulnerability
Description
An information disclosure vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to view session tokens of users authenticated to the firewall web UI. This may allow impersonation of users whose session tokens are leaked.
The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators.
Cloud NGFW and Prisma® Access are not affected by this vulnerability.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 12.1 | None | All |
| PAN-OS 11.2 | < 11.2.8 | >= 11.2.8 |
| PAN-OS 11.1 | < 11.1.12 | >= 11.1.12 |
| PAN-OS 10.2 | < 10.2.17 | >= 10.2.17 |
| Prisma Access | None | All |
Required Configuration for Exposure
The debug option must be enabled on the following URL: https://<ip>/php/utils/debug.php
Severity:LOW, Suggested Urgency:MODERATE
CVSS-BT:1.1 /CVSS-B:4.8 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/AU:N/R:U/V:C/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere
Solution
| Version | Minor Version | Suggested Solution |
|---|---|---|
| Cloud NGFW | No action needed. | |
| PAN-OS 12.1 | No action needed. | |
| PAN-OS 11.2 | 11.2.0 through 11.2.7 | Upgrade to 11.2.8 or later. |
| PAN-OS 11.1 | 11.1.0 through 11.1.11 | Upgrade to 11.1.12 or later. |
| PAN-OS 10.2 | 10.2.0 through 10.2.16 | Upgrade to 10.2.17 or later. |
| All older unsupported PAN-OS versions | Upgrade to a supported fixed version. | |
| Prisma Access | No action needed. |
Workarounds and Mitigations
There are no known workarounds for this issue.
Acknowledgments
CPEs
cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.6:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.5:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.2:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.1:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.0:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.1.11:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.1.10:*:*:*:*:*:*:*
CPE Applicability
- cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.0 and up to (excluding)11.2.8
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.0 and up to (excluding)11.1.12
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.0 and up to (excluding)10.2.17
Timeline
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
