CVE-2025-0128: 
PAN-OS vulnerability analysis and mitigation

A denial-of-service (DoS) vulnerability (CVE-2025-0128) was discovered in the Simple Certificate Enrollment Protocol (SCEP) authentication feature of Palo Alto Networks PAN-OS software. The vulnerability, disclosed on April 9, 2025, enables unauthenticated attackers to initiate system reboots using maliciously crafted packets. The affected versions include PAN-OS versions 11.2 (< 11.2.3), 11.1 (< 11.1.5), 11.0 (< 11.0.6), 10.2 (< 10.2.10-h17), and 10.1 (< 10.1.14-h11). Cloud NGFW is not affected, and Prisma Access software has been proactively patched (Palo Security).

The vulnerability has been assigned a CVSS v4.0 score of 6.6 (MEDIUM) with a Base Score of 8.7. The attack vector is network-based with low attack complexity, requiring no user interaction or special privileges. The vulnerability specifically impacts the SCEP authentication handling mechanism, where improper checks allow attackers to bypass standard security controls, causing the firewall's management plane to crash and reboot. Notably, systems do not need to have explicitly configured SCEP to be vulnerable (GBHackers, Palo Security).

When exploited, the vulnerability allows attackers to force affected firewalls into repeated reboots, ultimately causing the system to enter maintenance mode. This can result in significant network disruption and downtime for critical systems. The impact primarily affects system availability, with no direct impact on confidentiality or integrity (Palo Security).

Palo Alto Networks has released patches for affected versions and recommends upgrading to PAN-OS 11.2.3 or later, 11.1.5 or later, or 10.2.11 or later. For immediate mitigation, administrators can disable SCEP authentication using the CLI command 'debug sslmgr set disable-scep-auth-cookie yes'. However, this workaround must be reapplied after each system reboot. Prisma Access tenants have been automatically protected since March 21, 2025 (Palo Security).