CVE-2025-0123: 
PAN-OS vulnerability analysis and mitigation

A vulnerability (CVE-2025-0123) was discovered in Palo Alto Networks PAN-OS software that enables unlicensed administrators to view clear-text data captured using the packet capture feature in decrypted HTTP/2 data streams traversing network interfaces on the firewall. The vulnerability was disclosed on April 9, 2025, and affects multiple versions of PAN-OS including versions 11.2 (< 11.2.6), 11.1 (< 11.1.8), 10.2 (< 10.2.15), and 10.1 (< 10.1.14-h13). Cloud NGFW and Prisma Access are not impacted by this vulnerability (PAN Advisory).

The vulnerability requires specific configurations to be exploitable: an SSL decryption policy matching HTTP/2 data flows tied to a decryption profile without 'Strip ALPN' enabled, and Global HTTP/2 inspection enabled (which is enabled by default). The severity is rated as LOW with a CVSS Base Score of 1.9, and the suggested urgency is MODERATE. The vulnerability is classified under CWE-312 (Cleartext Storage of Sensitive Information) and CAPEC-158 (Sniffing Network Traffic) (PAN Advisory).

The vulnerability impacts confidentiality as firewall administrators can view traffic that they should not be able to see without proper licensing. However, there is no impact on integrity or availability of the traffic. The risk is nullified if the firewall is licensed for decryption port mirroring, as in that case, firewall administrators are already authorized to obtain decrypted packet captures (PAN Advisory).

The vulnerability has been fixed in PAN-OS versions 10.1.14-h13, 10.2.15, 11.1.8, 11.2.6, and all later versions. As a workaround, administrators can configure the decryption profile to strip ALPN from the TLS handshake, which prevents HTTP/2 inspection and consequently prevents decrypted HTTP/2 traffic exposure. Additionally, it is recommended to restrict management interface access to only trusted internal IP addresses according to critical deployment guidelines (PAN Advisory).