CVE-2025-0128 — Improper Check for Unusual or Exceptional Conditions in Palo Alto Networks Pan-os

CWE-754 — Improper Check for Unusual or Exceptional Conditions CWE-125 — Out-of-bounds Read5 documents5 sources

Severity

8.7HIGHNVD

EPSS

0.1%

top 70.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Palo Alto Networks Pan-os Palo Alto Networks Prisma Access Paloalto Cloud Ngfw +2 more

Timeline

PublishedApr 11

Description

A denial-of-service (DoS) vulnerability in the Simple Certificate Enrollment Protocol (SCEP) authentication feature of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker to initiate system reboots using a maliciously crafted packet. Repeated attempts to initiate a reboot causes the firewall to enter maintenance mode. Cloud NGFW is not affected by this vulnerability. Prisma® Access software is proactively patched and protected from this issue.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages5 packages

▶CVEListV5palo_alto_networks/prisma_access10.2.0 — 10.2.4-h36+1

▶Palo Altopaloalto/cloud_ngfw

▶CVEListV5palo_alto_networks/pan-os11.2.0 — 11.2.3+4

▶Palo Altopaloalto/prisma_access

▶Palo Altopaloalto/pan-os

🔴Vulnerability Details

GHSA

GHSA-g8cx-ccc5-rjfw: A denial-of-service (DoS) vulnerability in the Simple Certificate Enrollment Protocol (SCEP) authentication feature of Palo Alto Networks PAN-OS® soft↗2025-04-11

▶

CVEList

PAN-OS: Firewall Denial of Service (DoS) Using a Specially Crafted Packet↗2025-04-11

▶

📋Vendor Advisories

Microsoft

Out-of-bounds Read in vim/vim↗2022-01-11

▶

Palo Alto

PAN-OS: Firewall Denial of Service (DoS) Using a Specially Crafted Packet↗

▶