CVE-2025-0114
📋 TL;DR
An unauthenticated attacker can cause a Denial of Service (DoS) in Palo Alto Networks PAN-OS GlobalProtect by sending specially crafted packets over time, rendering the GlobalProtect portal and gateway unavailable. This affects PAN-OS software but not Cloud NGFWs or Prisma Access. Organizations using vulnerable PAN-OS versions with GlobalProtect enabled are at risk.
💻 Affected Systems
- Palo Alto Networks PAN-OS
📦 What is this software?
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
⚠️ Risk & Real-World Impact
Worst Case
GlobalProtect services become completely unavailable, preventing remote access and VPN connectivity for all users, potentially disrupting business operations.
Likely Case
Intermittent service degradation or complete outages affecting remote users' ability to connect via GlobalProtect VPN.
If Mitigated
Minimal impact with proper network segmentation, rate limiting, and timely patching.
🎯 Exploit Status
Exploitation requires sending a large volume of specially crafted packets over time, which may be detectable through network monitoring.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific fixed versions.
Vendor Advisory: https://security.paloaltonetworks.com/CVE-2025-0114
Restart Required: No
Instructions:
1. Review the vendor advisory for affected and fixed versions. 2. Apply the recommended patch or upgrade to a fixed version. 3. Verify the patch is applied successfully.
🔧 Temporary Workarounds
Implement Rate Limiting
allConfigure rate limiting on network devices to restrict the number of packets sent to GlobalProtect services, reducing the impact of DoS attempts.
Specific commands depend on network device vendor; consult device documentation for rate limiting configuration.
Network Segmentation
allIsolate GlobalProtect services in a segmented network zone with strict access controls to limit exposure.
Configure firewall rules to restrict access to GlobalProtect services from untrusted networks.
🧯 If You Can't Patch
- Implement network-based intrusion prevention systems (IPS) to detect and block malicious packet patterns targeting GlobalProtect.
- Monitor GlobalProtect service logs and network traffic for unusual activity indicative of DoS attempts.
🔍 How to Verify
Check if Vulnerable:
Check the PAN-OS version and GlobalProtect configuration. If GlobalProtect is enabled and the version is within the affected range (as specified in the vendor advisory), the system is vulnerable.Check Version:
show system info (on PAN-OS CLI) or check via web interface under Device > Setup > Operations.Verify Fix Applied:
After applying the patch, verify the PAN-OS version is updated to a fixed version and test GlobalProtect connectivity to ensure services are operational.📡 Detection & Monitoring
Log Indicators:
- Unusual increase in failed connection attempts to GlobalProtect
- High volume of packets from single or multiple sources targeting GlobalProtect ports
Network Indicators:
- Spike in traffic to GlobalProtect ports (default UDP 4501, TCP 443)
- Patterns of malformed packets in network captures
SIEM Query:
Example: source_ip_count BY dest_port WHERE dest_port IN (4501, 443) AND protocol IN ("UDP", "TCP") OVER 1h > threshold