CVE-2025-0126: 
PAN-OS vulnerability analysis and mitigation

A session fixation vulnerability (CVE-2025-0126) was discovered in the GlobalProtect SAML login functionality of PAN-OS. The vulnerability was disclosed on April 9, 2025, affecting multiple versions of PAN-OS including 11.2, 11.1, 11.0, 10.2, and 10.1. The issue specifically impacts firewalls configured with GlobalProtect portal using SAML Authentication, while Cloud NGFW and Prisma Access instances are not affected (Palo Security).

The vulnerability is classified with a CVSS 4.0 Base Score of 8.3 (HIGH) and requires network access with low attack complexity. The attack vector is network-based (AV:N) with active user interaction required (UI:A). The vulnerability specifically affects the SAML authentication mechanism in GlobalProtect login, allowing for session fixation attacks. The technical assessment indicates low integrity impact (VI:L) but high availability impact (VA:H) with high subsequent confidentiality impact (SC:H) (Palo Security).

If successfully exploited, this vulnerability enables an attacker to impersonate a legitimate authorized user and perform actions as that GlobalProtect user. The attack requires the legitimate user to first click on a malicious link provided by the attacker. The vulnerability affects the GlobalProtect portal's SAML authentication but does not impact the SAML login for the PAN-OS management interface (Palo Security).

Several mitigation options are available. Organizations can upgrade to fixed versions: PAN-OS 11.2.3 or later for 11.2 versions, 11.1.5 or later for 11.1 versions, 11.0.6 or later for 11.0 versions, and specific hotfix versions for 10.2 and 10.1. Alternatively, organizations can mitigate the issue by using different authentication methods for the GlobalProtect portal, such as Client Certificate Authentication, RADIUS, TACACS+, LDAP, or Kerberos (Palo Security).

The vulnerability was discovered and reported by D'Angelo Gonzalez of CrowdStrike, demonstrating ongoing security research collaboration in the industry. Palo Alto Networks has proactively initiated an upgrade of Prisma Access on March 21, 2025, to protect all tenants (Palo Security).