Published: 2025-11-13T21:15:49.833
Overview
This blog post provides an overview of CVE-2025-4619, a denial-of-service (DoS) vulnerability affecting Palo Alto Networks PAN-OS software. This vulnerability allows an unauthenticated attacker to remotely trigger a firewall reboot by sending a specially crafted packet through the dataplane. Repeated exploitation of this vulnerability can force the firewall into maintenance mode, disrupting network services.
Technical Details
CVE-2025-4619 is triggered by a malformed packet traversing the PAN-OS dataplane. The specific details of the packet structure are not publicly available to prevent widespread exploitation. However, it is known that a successful exploit results in an unexpected system error that leads to a firewall reboot. Continuous exploitation will push the firewall into maintenance mode, further exacerbating the denial-of-service condition.
This vulnerability affects PA-Series firewalls, VM-Series firewalls, and Prisma® Access software running vulnerable versions of PAN-OS. Cloud NGFW is not affected by this vulnerability.
CVSS Analysis
While the provided information indicates the CVSS score is currently N/A, a denial-of-service vulnerability typically receives a moderate to high severity rating depending on the ease of exploitation and the impact on system availability. We anticipate that the eventual CVSS score will reflect the potential for significant service disruption.
Possible Impact
The exploitation of CVE-2025-4619 can lead to significant disruption of network services. The primary impact is a denial-of-service condition, resulting in:
- Firewall reboots, interrupting network traffic flow.
- Firewall entering maintenance mode, requiring administrative intervention to restore service.
- Potential for prolonged network outages.
Mitigation and Patch Steps
Palo Alto Networks has addressed this vulnerability in updated versions of PAN-OS. The primary mitigation strategy is to upgrade to a patched PAN-OS version as soon as possible.
Prisma Access Update Status: Palo Alto Networks has already completed the Prisma Access upgrade for the majority of customers. Those facing issues such as conflicting maintenance windows are being scheduled for an upgrade through the standard upgrade process.
Action Items:
- Identify all PA-Series and VM-Series firewalls running PAN-OS.
- Check your current PAN-OS version and determine if it is affected.
- Schedule an upgrade to the latest stable PAN-OS version that addresses CVE-2025-4619. Refer to Palo Alto Networks’ advisory for specific version details.
- For Prisma Access customers, monitor communications from Palo Alto Networks regarding upgrade scheduling.
