PT-2025-46708 · Palo Alto Networks · Pan-Os

Published

2025-11-12

·

Updated

2025-12-20

·

CVE-2025-4619

CVSS v4.0

6.6

Medium

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Amber
Name of the Vulnerable Software and Affected Versions Palo Alto Networks PAN-OS versions prior to 11.1.6-h1 PA-Series firewalls VM-Series firewalls Prisma Access software
Description A denial-of-service (DoS) condition exists in Palo Alto Networks PAN-OS software. An unauthenticated attacker can reboot a firewall by sending a specially crafted packet through the dataplane. Repeated attempts to initiate a reboot can cause the firewall to enter maintenance mode. This issue is applicable to firewalls where URL proxy or any decrypt-policy is configured. The issue may be encountered regardless of whether traffic matches explicit decrypt, explicit no-decrypt, or none of the decryption policies. Approximately 3.1 million services are potentially affected worldwide.
Recommendations For PA-Series firewalls, update to a version later than 11.1.6-h1. For VM-Series firewalls, update to a version later than 11.1.6-h1. For Prisma Access software, upgrade to the latest version.

Fix

DoS

Improper Check for Exceptional Conditions

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-00809
CVE-2025-4619

Affected Products

Pan-Os