CVE-2025-4619

Name of the Vulnerable Software and Affected Versions Palo Alto Networks PAN-OS versions prior to 11.1.6-h1 PA-Series firewalls VM-Series firewalls Prisma Access software

Description A denial-of-service (DoS) condition exists in Palo Alto Networks PAN-OS software. An unauthenticated attacker can reboot a firewall by sending a specially crafted packet through the dataplane. Repeated attempts to initiate a reboot can cause the firewall to enter maintenance mode. This issue is applicable to firewalls where URL proxy or any decrypt-policy is configured. The issue may be encountered regardless of whether traffic matches explicit decrypt, explicit no-decrypt, or none of the decryption policies. Approximately 3.1 million services are potentially affected worldwide.

Recommendations For PA-Series firewalls, update to a version later than 11.1.6-h1. For VM-Series firewalls, update to a version later than 11.1.6-h1. For Prisma Access software, upgrade to the latest version.