Critical PAN-OS Firewall Vulnerability Allows Remote Reboots via Malicious Packets
Palo Alto Networks has recently disclosed a significant security flaw in its PAN-OS firewall software, identified as CVE-2025-4619. This vulnerability enables unauthenticated attackers to remotely reboot affected firewalls by sending specially crafted packets, potentially leading to service disruptions and exposing organizations to further security risks.
Understanding the Vulnerability
CVE-2025-4619 is classified under CWE-754, which pertains to improper checks for unusual or exceptional conditions. The flaw resides within the PAN-OS software’s dataplane, allowing attackers to exploit it without the need for authentication, credentials, or user interaction. By transmitting a malicious packet, an attacker can trigger an unexpected reboot of the firewall. Repeated exploitation can force the device into maintenance mode, severely impacting network operations and leaving the organization vulnerable during downtime.
Severity and Impact
Palo Alto Networks has assigned this vulnerability a CVSS 4.0 score of 6.6, categorizing it as medium severity with moderate urgency. However, the CVSS-B score reaches 8.7, reflecting the potential business impact. The attack vector is network-based with low complexity, and the vulnerability directly affects product availability, highlighting its potential to disrupt critical network infrastructure.
Affected Systems
The vulnerability impacts the following systems:
– PA-Series Firewalls: Physical firewall appliances running vulnerable versions of PAN-OS.
– VM-Series Firewalls: Virtual firewall instances operating on affected PAN-OS versions.
– Prisma Access Deployments: Cloud-delivered security services utilizing susceptible PAN-OS versions.
Notably, Cloud NGFW deployments are not affected by this vulnerability.
Vulnerable PAN-OS Versions
The following PAN-OS versions are susceptible to CVE-2025-4619:
– PAN-OS 10.2: Versions up to and including 10.2.13.
– PAN-OS 11.1: Versions up to and including 11.1.6.
– PAN-OS 11.2: Versions up to and including 11.2.4.
It’s important to note that PAN-OS versions 12.1 and 10.1 are not affected by this vulnerability.
Exploitation Conditions
For the vulnerability to be exploitable, specific configurations must be present:
– URL Proxy or Decrypt Policy Enabled: The firewall must have either a URL proxy or a decrypt policy enabled.
– Explicit No-Decrypt Policies: Even with explicit no-decrypt policies, the vulnerability may still be exploitable.
These conditions highlight the importance of reviewing firewall configurations to assess exposure to this vulnerability.
Mitigation and Recommendations
Palo Alto Networks strongly recommends upgrading to patched versions of PAN-OS to mitigate the risk associated with CVE-2025-4619:
– For PAN-OS 11.2: Upgrade to version 11.2.5 or later.
– For PAN-OS 11.1: Upgrade to version 11.1.7 or later.
– For PAN-OS 10.2: Upgrade to version 10.2.14 or later.
As of now, there are no known workarounds for this vulnerability, making timely patching crucial.
Current Exploitation Status
At present, Palo Alto Networks has not identified any active malicious exploitation of CVE-2025-4619. However, given the ease of exploitation and the potential operational impact, administrators are urged to prioritize patching to safeguard their network infrastructure.
Broader Context of PAN-OS Vulnerabilities
This disclosure is part of a series of vulnerabilities identified in PAN-OS over recent years:
– CVE-2024-3393: A high-severity flaw in the DNS Security feature of PAN-OS, allowing unauthenticated attackers to trigger a Denial of Service (DoS) condition by sending specially crafted DNS packets.
– CVE-2025-0110: A command injection vulnerability in the PAN-OS OpenConfig plugin, enabling authenticated administrators to execute arbitrary commands on firewalls via manipulated gNMI requests, escalating privileges to root access.
– CVE-2025-0128: A denial-of-service vulnerability in the Simple Certificate Enrollment Protocol (SCEP) authentication feature of PAN-OS, allowing unauthenticated attackers to initiate system reboots using maliciously crafted packets.
These vulnerabilities underscore the critical importance of timely patch management and robust monitoring practices to safeguard network infrastructure against emerging threats.
Conclusion
The disclosure of CVE-2025-4619 highlights the ongoing challenges in maintaining secure network environments. Organizations utilizing Palo Alto Networks firewalls should promptly assess their systems, apply the necessary patches, and review configurations to mitigate potential risks. Staying vigilant and proactive in addressing such vulnerabilities is essential to ensure the resilience and security of network infrastructures.
