Cyber Security News

PAN-OS DoS Vulnerability Allows Attackers to Force Repeated Firewall Reboots

A newly disclosed denial-of-service (DoS) vulnerability in Palo Alto Networks’ PAN-OS software enables attackers to force firewalls into repeated reboots using maliciously crafted packets.

Tracked as CVE-2025-0128, the flaw impacts SCEP (Simple Certificate Enrollment Protocol) authentication and poses significant risks to unpatched systems.

The vulnerability, CVE-2025-0128, enables unauthenticated attackers to disrupt network operations by sending a single malicious packet, triggering repeated firewall reboots.

These attacks force firewalls into maintenance mode, significantly impacting network availability and creating potential downtime for critical systems.

Palo Alto Networks has rated the severity of this issue as 6.6 (MEDIUM) on the CVSS v4.0 scale, with an 8.7 Base Score for unpatched PAN-OS systems.

Immediate mitigation and upgrades are essential to minimize the risk of exploitation. The vulnerability stems from improper checks in SCEP authentication handling.

Attackers exploiting this flaw bypass standard security controls, causing the firewall’s management plane to crash and reboot.

Systems not explicitly configured to use SCEP remain vulnerable, requiring immediate mitigation.

Affected Products

ComponentAffected VersionsUnaffected/Fixed Versions
PAN-OS 11.2< 11.2.3≥ 11.2.3
PAN-OS 11.1< 11.1.5≥ 11.1.5
PAN-OS 10.2< 10.2.11≥ 10.2.11
Prisma Access< 10.2.4-h36, < 10.2.10-h16, < 11.2.4-h5≥ 10.2.4-h36, ≥ 10.2.10-h16, ≥ 11.2.4-h5
EoL VersionsPAN-OS 11.0, 10.0, 9.1, 9.0, and earlierPresumed vulnerable (no fixes planned)

Cloud NGFW and proactively updated Prisma Access tenants are not impacted.

Mitigation and Solutions

Palo Alto Networks recommends the following actions:

1. Immediate Upgrades

PAN-OS VersionFixed Version
11.2.xUpgrade to 11.2.3+
11.1.xUpgrade to 11.1.5+
10.2.xUpgrade to 10.2.11+

2. Workaround

Disable SCEP authentication via CLI for temporary protection:

> debug sslmgr set disable-scep-auth-cookie yes 

3. Prisma Access

Tenants have been automatically protected since March 21, 2025.

Vulnerability Summary Table

MetricDetails
CVE IDCVE-2025-0128
CVSS v4.0 Score6.6 (MEDIUM) / 8.7 (Base)
Exploit MaturityUnreported
Attack ComplexityLow (No prerequisites)
ImpactHigh Availability Loss
AutomatableYes
Public ExploitsNone observed as of April 10, 2025

While no active exploitation has been reported, Palo Alto Networks classifies this vulnerability as having MODERATE urgency due to its potential to disrupt critical services.

Administrators should prioritize patching, especially for firewalls exposed to untrusted networks.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Hackers Exploit Email Fields to Launch XSS and SSRF Attacks

Cybersecurity researchers are raising alarms as hackers increasingly weaponize email input fields to execute cross-site scripting…

6 minutes ago

Luna Moth Hackers Use Fake Helpdesk Domains to Target Victims

A recent investigation by cybersecurity firm EclecticIQ, in collaboration with threat hunters, has exposed a…

38 minutes ago

SonicBoom Attack Chain Lets Hackers Bypass Login and Gain Admin Control

Cybersecurity researchers have uncovered a dangerous new exploitation technique, dubbed the "SonicBoom Attack Chain," which…

2 hours ago

Researcher Uses Copilot with WinDbg to Simplify Windows Crash Dump Analysis

A researcher has unveiled a novel integration between AI-powered Copilot and Microsoft's WinDbg, dramatically simplifying…

2 hours ago

Apache Parquet Java Vulnerability Enables Remote Code Execution

A high-severity vulnerability (CVE-2025-46762) has been discovered in Apache Parquet Java, exposing systems using the…

2 hours ago

NCSC Warns of Ransomware Attacks Targeting UK Organisations

National Cyber Security Centre (NCSC) has issued technical guidance following a series of cyber attacks…

4 hours ago