A significant denial-of-service (DoS) vulnerability, identified as CVE-2025-0128, has been discovered in Palo Alto Networks’ PAN-OS firewall software. This flaw permits unauthenticated attackers to remotely initiate system reboots by sending specially crafted packets, potentially pushing the devices into maintenance mode through repeated attacks.
The vulnerability, found in the Simple Certificate Enrollment Protocol (SCEP) authentication feature of PAN-OS, has earned a CVSS score of 6.6, classified as “MEDIUM.” Despite this rating, security experts are particularly concerned due to its network-based attack vector and low complexity, which highlights the threat to exposed systems.
Security experts have assigned this vulnerability to CWE-754 (Improper Check for Unusual or Exceptional Conditions) and CAPEC-153 (Input Data Manipulation), pinpointing fundamental issues in handling unexpected input conditions. Notably, the attack does not require user interaction and can be automated, substantially increasing its potential danger.
The discovery can be attributed to the independent security researcher known as “Abyss Watcher.” PAN-OS versions affected include 11.2 (
Cloud NGFW remains unaffected, while Prisma Access installations have received proactive patches. Palo Alto Networks urges immediate upgrades to patched versions to mitigate the risk. For those unable to update immediately, a temporary CLI-based workaround exists, though it must be reapplied after each system reboot.
Despite no known malicious exploitation yet, security teams should prioritize patching, especially for internet-facing firewalls, to safeguard against potential threats.
