CVE-2025-0136: 
PAN-OS vulnerability analysis and mitigation

CVE-2025-0136 is a vulnerability discovered in Palo Alto Networks PAN-OS firewalls that affects the implementation of AES-128-CCM algorithm for IPSec. The vulnerability was discovered internally by Benjamin Bai of Palo Alto Networks and was disclosed on May 14, 2025. The issue affects specific hardware models including PA-7500, PA-5400, PA-5400f, PA-3400, PA-1400, and PA-400 Series firewalls, while Cloud NGFWs, Prisma Access instances, and PAN-OS VM-Series firewalls remain unaffected (Palo Security).

The vulnerability occurs when using the AES-128-CCM algorithm for IPSec on certain Intel-based hardware devices, resulting in unencrypted data transfer to devices connected through IPSec. The severity is rated as LOW with a CVSS-BT score of 1.3 and CVSS-B score of 5.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:C/RE:M/U:Amber). The vulnerability is classified under CWE-319 (Cleartext Transmission of Sensitive Information) and CAPEC-117 (Interception) (Palo Security).

When exploited, this vulnerability leads to the transmission of unencrypted data between the PAN-OS firewall and connected devices through IPSec when using the AES-128-CCM algorithm. This could potentially expose sensitive information during transmission, compromising data confidentiality (Wiz Database).

Palo Alto Networks has released patches for affected versions: upgrade to PAN-OS 11.1.5 or later for 11.1 versions, 11.0.7 or later for 11.0 versions, 10.2.11 or later for 10.2 versions, and 10.1.14-h14 or later for 10.1 versions. As a workaround, users can configure IPSec Crypto encryption to use more secure algorithms such as AES-256-GCM or AES-256-CBC on affected hardware PAN-OS firewalls (Palo Security).