{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2025-0130", "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "state": "PUBLISHED", "assignerShortName": "palo_alto", "dateReserved": "2024-12-20T23:23:30.807Z", "datePublished": "2025-05-14T17:37:40.937Z", "dateUpdated": "2026-05-29T21:35:40.150Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto", "dateUpdated": "2026-05-29T21:35:40.150Z" }, "title": "PAN-OS: Firewall Denial-of-Service (DoS) in the Web-Proxy Feature via a Burst of Maliciously Crafted Packets", "datePublic": "2025-05-14T16:00:00.000Z", "problemTypes": [ { "descriptions": [ { "lang": "en", "cweId": "CWE-754", "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions", "type": "CWE" } ] } ], "impacts": [ { "capecId": "CAPEC-583", "descriptions": [ { "lang": "en", "value": "CAPEC-583 Disabling Network Hardware" } ] } ], "affected": [ { "vendor": "Palo Alto Networks", "product": "Cloud NGFW", "versions": [ { "status": "unaffected", "version": "All", "versionType": "custom" } ], "defaultStatus": "unaffected" }, { "vendor": "Palo Alto Networks", "product": "PAN-OS", "versions": [ { "status": "affected", "version": "11.2.0", "lessThan": "11.2.5", "changes": [ { "at": "11.2.5", "status": "unaffected" } ], "versionType": "custom" }, { "status": "affected", "version": "11.1.0", "lessThan": "11.1.6-h1", "changes": [ { "at": "11.1.6-h1", "status": "unaffected" }, { "at": "11.1.7-h2", "status": "unaffected" }, { "at": "11.1.8", "status": "unaffected" } ], "versionType": "custom" }, { "status": "unaffected", "version": "10.2.0", "versionType": "custom" }, { "status": "unaffected", "version": "10.1.0", "versionType": "custom" } ], "defaultStatus": "unaffected", "cpes": [ "cpe:2.3:o:paloaltonetworks:pan-os:11.2.4:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.2.3:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.6:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.5:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:*:*:*:*:*:*:*" ] }, { "vendor": "Palo Alto Networks", "product": "Prisma Access", "versions": [ { "status": "unaffected", "version": "All", "versionType": "custom" } ], "defaultStatus": "unaffected" } ], "descriptions": [ { "lang": "en", "value": "A missing exception check in Palo Alto Networks PAN-OS® software with the web proxy feature enabled allows an unauthenticated attacker to send a burst of maliciously crafted packets that causes the firewall to become unresponsive and eventually reboot. Repeated successful attempts to trigger this condition will cause the firewall to enter maintenance mode.\n\n\n\nThis issue does not affect Cloud NGFW or Prisma Access.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "
A missing exception check in Palo Alto Networks PAN-OS® software with the web proxy feature enabled allows an unauthenticated attacker to send a burst of maliciously crafted packets that causes the firewall to become unresponsive and eventually reboot. Repeated successful attempts to trigger this condition will cause the firewall to enter maintenance mode.
This issue does not affect Cloud NGFW or Prisma Access.
" } ] } ], "references": [ { "url": "https://security.paloaltonetworks.com/CVE-2025-0130", "tags": [ "vendor-advisory" ] } ], "metrics": [ { "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ], "cvssV4_0": { "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "USER", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "LOW", "providerUrgency": "AMBER", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.2, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:U/V:C/RE:L/U:Amber" } } ], "configurations": [ { "lang": "en", "value": "This issue only affects PAN-OS firewalls that have the web proxy feature enabled. This feature is only available on PAN-OS 11.0 and above. Additionally a license is required to use the web proxy feature.\nTo verify if you have configured web proxy on your PAN-OS device, see our documentation regarding the web proxy feature https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxyhttps:// .", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "This issue only affects PAN-OS firewalls that have the web proxy feature enabled. This feature is only available on PAN-OS 11.0 and above. Additionally a license is required to use the web proxy feature.| Version | Minor Version | Suggested Solution |
|---|---|---|
| PAN-OS 11.2 | 11.2.0 through 11.2.4 | Upgrade to 11.2.5 or later. |
| PAN-OS 11.1 | 11.1.0 through 11.1.7 | Upgrade to 11.1.7-h2 or 11.1.8 or later. |
| 11.1.0 through 11.1.6 | Upgrade to 11.1.6-h1 or 11.1.8 or later. | |
| PAN-OS 11.0 (EoL) | Upgrade to a supported fixed version. | |
| PAN-OS 10.2 | No action needed. | |
| PAN-OS 10.1 | No action needed. | |
| All other unsupported PAN-OS versions | Upgrade to a supported fixed version. |