Analysis Summary

A significant denial-of-service (DoS) vulnerability, tracked as CVE-2025-0128, has been identified in Palo Alto Networks’ PAN-OS firewall software, specifically within the Simple Certificate Enrollment Protocol (SCEP) authentication feature. The flaw is particularly dangerous due to its low complexity, network-based vector, and lack of user interaction or authentication requirements. Exploitation can be fully automated, enabling unauthenticated attackers to send maliciously crafted packets that trigger remote system reboots. If done repeatedly, the attack can push devices into maintenance mode, leading to extended downtime and disrupted network security operations.

The vulnerability is categorized under CWE-754 (Improper Check for Unusual or Exceptional Conditions) and CAPEC-153 (Input Data Manipulation), indicating inadequate input validation in the firewall's handling of protocol data. Importantly, the issue does not require explicit SCEP configuration to be exploitable—any unpatched PAN-OS system is at risk. Although there is no direct threat to confidentiality or integrity, the availability impact is high, making this flaw critical for organizations relying on these systems for perimeter defense. Palo Alto Networks currently reports no known in-the-wild exploitation, but public disclosure is expected to accelerate attack attempts.

The vulnerability affects a wide range of PAN-OS versions, including:

• PAN-OS 11.2 (before 11.2.3)
• PAN-OS 11.1 (before 11.1.5)
• PAN-OS 11.0 (before 11.0.6)
• PAN-OS 10.2 (before 10.2.11)
• PAN-OS 10.1 (before 10.1.14-h11)
• While Cloud NGFW is not impacted and Prisma Access has already been patched, any organization using the above PAN-OS versions without applying updates remains vulnerable. Systems exposed to the internet face the highest risk, especially as the attack requires no privileges or user input.

Palo Alto Networks strongly recommends upgrading to patched PAN-OS versions immediately. For environments where immediate patching is not feasible, a CLI-based workaround is available; however, it must be reapplied after each reboot. Security teams are advised to treat this vulnerability with urgency, applying mitigations or updates swiftly to minimize risk. Given the ease of exploitation and potential for widespread service disruption, organizations should prioritize firewall upgrades and monitor for unusual traffic targeting the SCEP feature. The discovery by researcher “Abyss Watcher” highlights the importance of ongoing collaboration in identifying and addressing vulnerabilities in critical infrastructure.

Impact

• Denial of Service

Indicators of Compromise

CVE

• CVE-2025-0128

Affected Vendors

Remediation

• Refer to the Palo Alto Networks Security Advisory for patch, upgrade, or suggested workaround information.
• Prioritize patching for internet-facing firewalls, as they are at highest risk of exploitation.
• Continuously monitor systems for unusual traffic or reboot patterns that may indicate attack attempts.
• Stay updated with official Palo Alto Networks advisories for any further developments or patches.
• Review firewall rules and minimize SCEP exposure if not actively used.