PAN-OS DoS Vulnerability Allows Attackers to Force Repeated Firewall Reboots

A newly disclosed denial-of-service (DoS) vulnerability in Palo Alto Networks’ PAN-OS software enables attackers to force firewalls into repeated reboots using maliciously crafted packets.

Tracked as CVE-2025-0128, the flaw impacts SCEP (Simple Certificate Enrollment Protocol) authentication and poses significant risks to unpatched systems.

The vulnerability, CVE-2025-0128, enables unauthenticated attackers to disrupt network operations by sending a single malicious packet, triggering repeated firewall reboots.

These attacks force firewalls into maintenance mode, significantly impacting network availability and creating potential downtime for critical systems.

Palo Alto Networks has rated the severity of this issue as 6.6 (MEDIUM) on the CVSS v4.0 scale, with an 8.7 Base Score for unpatched PAN-OS systems.

Immediate mitigation and upgrades are essential to minimize the risk of exploitation. The vulnerability stems from improper checks in SCEP authentication handling.

Attackers exploiting this flaw bypass standard security controls, causing the firewall’s management plane to crash and reboot.

Systems not explicitly configured to use SCEP remain vulnerable, requiring immediate mitigation.

Affected Products

Component	Affected Versions	Unaffected/Fixed Versions
PAN-OS 11.2	< 11.2.3	≥ 11.2.3
PAN-OS 11.1	< 11.1.5	≥ 11.1.5
PAN-OS 10.2	< 10.2.11	≥ 10.2.11
Prisma Access	< 10.2.4-h36, < 10.2.10-h16, < 11.2.4-h5	≥ 10.2.4-h36, ≥ 10.2.10-h16, ≥ 11.2.4-h5
EoL Versions	PAN-OS 11.0, 10.0, 9.1, 9.0, and earlier	Presumed vulnerable (no fixes planned)

Cloud NGFW and proactively updated Prisma Access tenants are not impacted.

Mitigation and Solutions

Palo Alto Networks recommends the following actions:

1. Immediate Upgrades

PAN-OS Version	Fixed Version
11.2.x	Upgrade to 11.2.3+
11.1.x	Upgrade to 11.1.5+
10.2.x	Upgrade to 10.2.11+

2. Workaround

Disable SCEP authentication via CLI for temporary protection:

> debug sslmgr set disable-scep-auth-cookie yes 

3. Prisma Access

Tenants have been automatically protected since March 21, 2025.

Vulnerability Summary Table

Metric	Details
CVE ID	CVE-2025-0128
CVSS v4.0 Score	6.6 (MEDIUM) / 8.7 (Base)
Exploit Maturity	Unreported
Attack Complexity	Low (No prerequisites)
Impact	High Availability Loss
Automatable	Yes
Public Exploits	None observed as of April 10, 2025

While no active exploitation has been reported, Palo Alto Networks classifies this vulnerability as having MODERATE urgency due to its potential to disrupt critical services.

Administrators should prioritize patching, especially for firewalls exposed to untrusted networks.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!