cbcvebase.
CVE-2025-0126
published 2025-04-11

CVE-2025-0126: When configured using SAML, a session fixation vulnerability in the GlobalProtect™ login enables an attacker to impersonate a legitimate authorized user and…

PriorityP345high8.3CVSS 4.0
AVNACLATNPRNUIAVCNVILVAHSCHSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUNRUVDREMUAmber
EPSS
0.32%
24.2th percentile
When configured using SAML, a session fixation vulnerability in the GlobalProtect™ login enables an attacker to impersonate a legitimate authorized user and perform actions as that GlobalProtect user. This requires the legitimate user to first click on a malicious link provided by the attacker. The SAML login for the PAN-OS® management interface is not affected. Additionally, this issue does not affect Cloud NGFW and all Prisma® Access instances are proactively patched.

Affected

10 ranges
VendorProductVersion rangeFixed in
palo_alto_networkspan-os>= 10.1.0 < 10.1.14-h1110.1.14-h11
palo_alto_networkspan-os>= 10.2.0 < 10.2.10-h610.2.10-h6
palo_alto_networkspan-os>= 11.0.0 < 11.0.611.0.6
palo_alto_networkspan-os>= 11.1.0 < 11.1.511.1.5
palo_alto_networkspan-os>= 11.2.0 < 11.2.311.2.3
palo_alto_networksprisma_access>= 10.2.0 < 10.2.4-h3610.2.4-h36
palo_alto_networksprisma_access>= 11.2.0 < 11.2.4-h511.2.4-h5
paloaltocloud_ngfw
paloaltopan-os
paloaltoprisma_access
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.