CVE-2025-4614 — Exposure of Sensitive System Information to an Unauthorized Control Sphere in Palo Alto Networks Pan-os

CWE-497 — Exposure of Sensitive System Information to an Unauthorized Control Sphere5 documents5 sources

Severity

4.8MEDIUMNVD

EPSS

0.0%

top 89.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Palo Alto Networks Pan-os Paloaltonetworks Pan-os Paloalto Cloud Ngfw +2 more

Timeline

PublishedOct 9

Description

An information disclosure vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to view session tokens of users authenticated to the firewall web UI. This may allow impersonation of users whose session tokens are leaked. The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators. Cloud NGFW and Prisma® Access are not affected by this vulnerability.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Affected Packages5 packages

▶Palo Altopaloalto/cloud_ngfw

▶Palo Altopaloalto/prisma_access

▶NVDpaloaltonetworks/pan-os10.2.0 — 10.2.17+3

▶CVEListV5palo_alto_networks/pan-os11.2.0 — 11.2.8+2

▶Palo Altopaloalto/pan-os

🔴Vulnerability Details

GHSA

GHSA-p4fj-c8rg-ggm6: An information disclosure vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to view session tokens of users↗2025-10-09

▶

CVEList

PAN-OS: Session Token Disclosure Vulnerability↗2025-10-09

▶

📋Vendor Advisories

Palo Alto

PAN-OS: Session Token Disclosure Vulnerability↗

▶