We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-0123

PAN-OS: Information Disclosure Vulnerability in HTTP/2 Packet Captures



Description

A vulnerability in the Palo Alto Networks PAN-OS® software enables unlicensed administrators to view clear-text data captured using the packet capture feature https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/take-packet-captures/take-a-custom-packet-capture in decrypted HTTP/2 data streams traversing network interfaces on the firewall. HTTP/1.1 data streams are not impacted. In normal conditions, decrypted packet captures are available to firewall administrators after they obtain and install a free Decryption Port Mirror license. The license requirement ensures that this feature can only be used after approved personnel purposefully activate the license. For more information, review how to configure decryption port mirroring https://docs.paloaltonetworks.com/network-security/decryption/administration/monitoring-decryption/configure-decryption-port-mirroring . The administrator must obtain network access to the management interface (web, SSH, console, or telnet) and successfully authenticate to exploit this issue. Risk of this issue can be greatly reduced by restricting access to the management interface to only trusted administrators and from only internal IP addresses according to our recommended critical deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . Customer firewall administrators do not have access to the packet capture feature in Cloud NGFW. This feature is available only to authorized Palo Alto Networks personnel permitted to perform troubleshooting. Prisma® Access is not impacted by this vulnerability.

Reserved 2024-12-20 | Published 2025-04-11 | Updated 2025-04-11 | Assigner palo_alto


MEDIUM: 5.9CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/AU:N/R:A/V:D/RE:M/U:Amber

Firewall administrators can see traffic that they should not be able to see, which impacts confidentiality but there is no impact to integrity or availability of that traffic.

NONE: 0.0CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/AU:N/R:A/V:D/U:Clear

There is no risk if the firewall is licensed for decryption port mirroring because firewall administrators are already authorized to obtain decrypted packet captures from Palo Alto Networks firewalls.

Problem types

CWE-312 Cleartext Storage of Sensitive Information

Product status

Default status
unaffected

All
unaffected

Default status
unaffected

11.2.0 before 11.2.6
affected

11.1.0 before 11.1.8
affected

10.2.0 before 10.2.15
affected

10.1.0 before 10.1.14-h13
affected

Default status
unaffected

All
unaffected

Timeline

2025-04-09:Initial Publication

Credits

Saurabh Tripathi of Palo Alto Networks finder

References

security.paloaltonetworks.com/CVE-2025-0123 vendor-advisory

cve.org (CVE-2025-0123)

nvd.nist.gov (CVE-2025-0123)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-0123

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.