CVE-2025-4614
📋 TL;DR
An authenticated administrator in Palo Alto Networks PAN-OS software can view session tokens of users logged into the firewall web UI, potentially enabling impersonation of those users. This affects PAN-OS firewalls with web UI access, but not Cloud NGFW or Prisma Access. The risk is significantly reduced when CLI access is restricted to a limited group of administrators.
💻 Affected Systems
- Palo Alto Networks PAN-OS
📦 What is this software?
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious administrator could steal session tokens and impersonate other users, potentially gaining unauthorized access to sensitive firewall configurations or performing actions as other users.
Likely Case
Accidental or intentional viewing of session tokens by authorized administrators, with limited exploitation due to existing authentication requirements and administrative controls.
If Mitigated
Minimal risk when proper access controls are implemented, particularly restricting CLI access to trusted administrators only.
🎯 Exploit Status
Requires authenticated administrator access to the firewall web UI.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific fixed versions
Vendor Advisory: https://security.paloaltonetworks.com/CVE-2025-4614
Restart Required: Yes
Instructions:
1. Review vendor advisory for affected versions. 2. Download and apply the appropriate PAN-OS patch. 3. Restart the firewall to apply changes. 4. Verify the patch is applied successfully.
🔧 Temporary Workarounds
Restrict CLI Access
allLimit CLI access to a small group of trusted administrators to minimize the risk of token exposure.
Configure role-based access control to restrict CLI permissions
🧯 If You Can't Patch
- Implement strict role-based access control to limit administrative access
- Monitor administrator activity logs for unusual session token access patterns
🔍 How to Verify
Check if Vulnerable:
Check PAN-OS version against vendor advisory for affected versionsCheck Version:
show system infoVerify Fix Applied:
Verify PAN-OS version is updated to a version not listed as vulnerable in the vendor advisory📡 Detection & Monitoring
Log Indicators:
- Unusual administrator access to session management functions
- Multiple user sessions from single administrator account
Network Indicators:
- Unexpected authentication attempts using known session tokens
SIEM Query:
Search for administrator account accessing session token data or unusual user impersonation patterns