A newly disclosed denial-of-service (DoS) vulnerability in Palo Alto Networks’ PAN-OS software enables attackers to force firewalls into repeated reboots using maliciously crafted packets.
Tracked as CVE-2025-0128, the flaw impacts SCEP (Simple Certificate Enrollment Protocol) authentication and poses significant risks to unpatched systems.
The vulnerability, CVE-2025-0128, enables unauthenticated attackers to disrupt network operations by sending a single malicious packet, triggering repeated firewall reboots.
These attacks force firewalls into maintenance mode, significantly impacting network availability and creating potential downtime for critical systems.
Palo Alto Networks has rated the severity of this issue as 6.6 (MEDIUM) on the CVSS v4.0 scale, with an 8.7 Base Score for unpatched PAN-OS systems.
Immediate mitigation and upgrades are essential to minimize the risk of exploitation. The vulnerability stems from improper checks in SCEP authentication handling.
Attackers exploiting this flaw bypass standard security controls, causing the firewall’s management plane to crash and reboot.
Systems not explicitly configured to use SCEP remain vulnerable, requiring immediate mitigation.
Component | Affected Versions | Unaffected/Fixed Versions |
PAN-OS 11.2 | < 11.2.3 | ≥ 11.2.3 |
PAN-OS 11.1 | < 11.1.5 | ≥ 11.1.5 |
PAN-OS 10.2 | < 10.2.11 | ≥ 10.2.11 |
Prisma Access | < 10.2.4-h36, < 10.2.10-h16, < 11.2.4-h5 | ≥ 10.2.4-h36, ≥ 10.2.10-h16, ≥ 11.2.4-h5 |
EoL Versions | PAN-OS 11.0, 10.0, 9.1, 9.0, and earlier | Presumed vulnerable (no fixes planned) |
Cloud NGFW and proactively updated Prisma Access tenants are not impacted.
Palo Alto Networks recommends the following actions:
1. Immediate Upgrades
PAN-OS Version | Fixed Version |
11.2.x | Upgrade to 11.2.3+ |
11.1.x | Upgrade to 11.1.5+ |
10.2.x | Upgrade to 10.2.11+ |
2. Workaround
Disable SCEP authentication via CLI for temporary protection:
> debug sslmgr set disable-scep-auth-cookie yes
3. Prisma Access
Tenants have been automatically protected since March 21, 2025.
Vulnerability Summary Table
Metric | Details |
CVE ID | CVE-2025-0128 |
CVSS v4.0 Score | 6.6 (MEDIUM) / 8.7 (Base) |
Exploit Maturity | Unreported |
Attack Complexity | Low (No prerequisites) |
Impact | High Availability Loss |
Automatable | Yes |
Public Exploits | None observed as of April 10, 2025 |
While no active exploitation has been reported, Palo Alto Networks classifies this vulnerability as having MODERATE urgency due to its potential to disrupt critical services.
Administrators should prioritize patching, especially for firewalls exposed to untrusted networks.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Cybersecurity researchers are raising alarms as hackers increasingly weaponize email input fields to execute cross-site scripting…
A recent investigation by cybersecurity firm EclecticIQ, in collaboration with threat hunters, has exposed a…
Cybersecurity researchers have uncovered a dangerous new exploitation technique, dubbed the "SonicBoom Attack Chain," which…
A researcher has unveiled a novel integration between AI-powered Copilot and Microsoft's WinDbg, dramatically simplifying…
A high-severity vulnerability (CVE-2025-46762) has been discovered in Apache Parquet Java, exposing systems using the…
National Cyber Security Centre (NCSC) has issued technical guidance following a series of cyber attacks…