A critical **denial-of-service (DoS) vulnerability (CVE-TBD)** in **Palo Alto Networks’ PAN-OS** allows unauthenticated attackers to remotely reboot firewalls by sending maliciously crafted packets via the data plane. Repeated exploits can force firewalls into **maintenance mode**, disabling network protections and exposing organizations to **secondary attacks**. The flaw affects **PA-Series, VM-Series firewalls, and Prisma Access** (excluding Cloud NGFW) across multiple PAN-OS versions (10.2, 11.1, 11.2), with **no evidence of active exploitation** yet. The issue stems from **improper exception handling (CWE-754)** and **pointer manipulation (CAPEC-129)**, requiring **no authentication or user interaction**. While Palo Alto Networks assigned a **CVSS 8.7 (MEDIUM severity, MODERATE urgency)**, the vulnerability’s **network-based, no-authentication exploitability** poses significant risk to **critical infrastructure**. Affected organizations lack workarounds, making **immediate patching** essential. Unpatched systems face **operational disruption**, potential **follow-on attacks**, and **loss of firewall resilience**, though no data breaches or ransomware are reported. Remediation requires upgrades to **PAN-OS 10.2.14, 11.1.7, or 11.2.5** (or hotfixes), with Prisma Access patches pending for some deployments.
Source: https://cyberpress.org/palo-alto-pan-os-vulnerability/
Palo Alto Networks cybersecurity rating report: https://www.rankiteo.com/company/palo-alto-networks
"id": "PAL5292352111325",
"linkid": "palo-alto-networks",
"type": "Vulnerability",
"date": "11/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Organizations using vulnerable '
'PAN-OS versions (PA-Series, '
'VM-Series, Prisma Access)',
'industry': 'Network Security',
'location': 'Santa Clara, California, USA',
'name': 'Palo Alto Networks',
'type': 'Cybersecurity Vendor'},
{'location': 'Global',
'name': 'Organizations using affected PAN-OS versions',
'type': ['Enterprises',
'Government Agencies',
'Service Providers']}],
'attack_vector': 'Network-based (no authentication or user interaction '
'required)',
'customer_advisories': ['Direct notifications to Prisma Access customers for '
'patch scheduling'],
'description': 'A critical denial-of-service vulnerability (CVE-TBD) has been '
'identified in Palo Alto Networks PAN-OS software that allows '
'unauthenticated attackers to remotely reboot firewalls by '
'crafting specially designed packets through the data plane. '
'Repeated reboot attempts can force affected firewalls into '
'maintenance mode, disabling network protection capabilities '
'and leaving organizations vulnerable to secondary attacks. '
'The vulnerability impacts PA-Series firewalls, VM-Series '
'firewalls, and Prisma Access deployments across multiple '
'PAN-OS versions (excluding Cloud NGFW). It manifests only on '
'firewalls with URL proxy or any decrypt policy configured '
'(including explicit decrypt, explicit no-decrypt, or '
'no-matching policies). The issue stems from improper checks '
'for unusual conditions (CWE-754) and pointer manipulation '
'(CAPEC-129). Palo Alto Networks assigned a CVSS base score of '
'8.7 (MEDIUM severity, MODERATE urgency) and reports no '
'evidence of active exploitation in the wild. Remediation '
'requires patching to specific versions (e.g., PAN-OS 10.2.14, '
'11.1.7, or 11.2.5) or applying hotfixes, with no workarounds '
'available for unpatched systems.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'security posture degradation',
'downtime': 'Potential extended downtime due to forced maintenance '
'mode and secondary attack exposure',
'operational_impact': 'Loss of firewall protection, network '
'disruption, vulnerability to follow-on '
'attacks',
'systems_affected': [{'type': 'PA-Series Firewalls',
'versions': ['10.2 (all ≤ 10.2.13)',
'11.1 (all ≤ 11.1.6)',
'11.2 (< 11.2.5)']},
{'type': 'VM-Series Firewalls',
'versions': ['10.2 (all ≤ 10.2.13)',
'11.1 (all ≤ 11.1.6)',
'11.2 (< 11.2.5)']},
{'type': 'Prisma Access',
'versions': ['Underlying PAN-OS versions '
'(see above)']}]},
'investigation_status': 'Ongoing (no active exploitation detected; patches '
'released)',
'lessons_learned': ['Criticality of prompt patching for network '
'infrastructure vulnerabilities',
'Risks of DoS vulnerabilities enabling secondary attacks',
'Importance of maintenance windows for security updates'],
'post_incident_analysis': {'corrective_actions': ['Code fixes in patched '
'PAN-OS versions to '
'validate data plane inputs',
'Enhanced testing for DoS '
'resilience in firewall '
'software',
'Proactive hotfix '
'distribution for critical '
'vulnerabilities'],
'root_causes': ['Improper checks for unusual '
'conditions (CWE-754)',
'Pointer manipulation '
'vulnerability (CAPEC-129)',
'Lack of input validation in data '
'plane packet handling']},
'recommendations': ['Immediately upgrade to patched PAN-OS versions (10.2.14, '
'11.1.7, 11.2.5+) or apply hotfixes',
'Prioritize remediation during next maintenance window '
'for Prisma Access',
'Monitor for signs of exploitation (unexpected reboots, '
'maintenance mode)',
'Review decrypt policies and URL proxy configurations for '
'exposure',
'Assess secondary attack surfaces exposed during firewall '
'downtime'],
'references': [{'source': 'Palo Alto Networks Security Advisory'}],
'response': {'communication_strategy': ['Public advisory with remediation '
'guidance',
'Customer notifications for Prisma '
'Access upgrades'],
'containment_measures': ['Urgent patching to remediated versions',
'Hotfix application (e.g., 10.2.13-h3, '
'11.1.6-h1)'],
'remediation_measures': [{'action': 'Upgrade to 10.2.14 or apply '
'hotfix 10.2.13-h3+',
'product': 'PAN-OS 10.2'},
{'action': 'Upgrade to 11.1.7 or apply '
'hotfix 11.1.6-h1/11.1.4-h13',
'product': 'PAN-OS 11.1'},
{'action': 'Upgrade to 11.2.5 or apply '
'hotfixes',
'product': 'PAN-OS 11.2'},
{'action': 'Palo Alto Networks '
'completing upgrades (except '
'conflicting maintenance '
'windows)',
'product': 'Prisma Access'}]},
'stakeholder_advisories': ['Public security advisory issued by Palo Alto '
'Networks'],
'title': 'Critical Denial-of-Service Vulnerability in Palo Alto Networks '
'PAN-OS Software',
'type': ['Denial-of-Service (DoS)', 'Vulnerability Exploitation'],
'vulnerability_exploited': {'capec_id': ['CAPEC-129 (Pointer Manipulation)'],
'cve_id': ['CVE-TBD'],
'cvss_score': {'base': 8.7, 'behavioral': 6.6},
'cwe_id': ['CWE-754 (Improper Check for Unusual '
'or Exceptional Conditions)'],
'severity': 'MEDIUM',
'urgency': 'MODERATE'}}