Analysis Summary

CVE-2025-0120 CVSS:7.1

A vulnerability with a privilege management mechanism in the Palo Alto Networks GlobalProtect™ app on Windows devices allows a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY\SYSTEM. However, execution requires that the local user can also successfully exploit a race condition, which makes this vulnerability difficult to exploit.

CVE-2025-0121 CVSS:6.8

A null pointer dereference vulnerability in the Palo Alto Networks Cortex® XDR agent on Windows devices allows a low-privileged local Windows user to crash the agent. Additionally, malware can use this vulnerability to perform malicious activity without Cortex XDR being able to detect it.

CVE-2025-0122 CVSS:5.1

A denial-of-service (DoS) vulnerability in Palo Alto Networks Prisma® SD-WAN ION devices enables an unauthenticated attacker in a network adjacent to a Prisma SD-WAN ION device to disrupt the packet processing capabilities of the device by sending a burst of crafted packets to that device.

CVE-2025-0123 CVSS:6.4

A vulnerability in the Palo Alto Networks PAN-OS® software enables unlicensed administrators to view clear-text data captured using the packet capture feature in decrypted HTTP/2 data streams traversing network interfaces on the firewall. HTTP/1.1 data streams are not impacted.

CVE-2025-0124 CVSS:5.4

An authenticated file deletion vulnerability in the Palo Alto Networks PAN-OS® software enables an authenticated attacker with network access to the management web interface to delete certain files as the “nobody” user; this includes limited logs and configuration files but does not include system files.

CVE-2025-0125 CVSS:6.9

An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables a malicious authenticated read-write administrator to impersonate another legitimate authenticated PAN-OS administrator.

CVE-2025-0126 CVSS:8.3

When configured using SAML, a session fixation vulnerability in the GlobalProtect™ login enables an attacker to impersonate a legitimate authorized user and perform actions as that GlobalProtect user. This requires the legitimate user to first click on a malicious link provided by the attacker.

CVE-2025-0127 CVSS:7.1

A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. This issue is only applicable to PAN-OS VM-Series. This issue does not affect firewalls that are already deployed.

CVE-2025-0128 CVSS:8.7

A denial-of-service (DoS) vulnerability in the Simple Certificate Enrollment Protocol (SCEP) authentication feature of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker to initiate system reboots using a maliciously crafted packet. Repeated attempts to initiate a reboot causes the firewall to enter maintenance mode.

Impact

• Denial of Service
• Gain Access
• Security Bypass
• Privilege Escalation
• Information Disclosure

Indicators of Compromise

CVE

• CVE-2025-0120
• CVE-2025-0121
• CVE-2025-0122
• CVE-2025-0123
• CVE-2025-0124
• CVE-2025-0125
• CVE-2025-0126
• CVE-2025-0127
• CVE-2025-0128

Affected Vendors

Remediation

Refer to Palo Alto Networks Security Advisory for patch, upgrade, or suggested workaround information.

CVE-2025-0120

CVE-2025-0121

CVE-2025-0122

CVE-2025-0123

CVE-2025-0124

CVE-2025-0125

CVE-2025-0126

CVE-2025-0127

CVE-2025-0128