/
CVE-2025-0114CVE-2025-0114 PAN-OS: Denial of Service (DoS) in GlobalProtect
Exploit MaturityUNREPORTED
Response EffortN/A
RecoveryUSER
Value DensityCONCENTRATED
Attack VectorNETWORK
Attack ComplexityHIGH
Attack RequirementsNONE
AutomatableNO
User InteractionNONE
Product ConfidentialityNONE
Product IntegrityNONE
Product AvailabilityHIGH
Privileges RequiredNONE
Subsequent ConfidentialityNONE
Subsequent IntegrityNONE
Subsequent AvailabilityNONE
Description
A Denial of Service (DoS) vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software enables an unauthenticated attacker to render the service unavailable by sending a large number of specially crafted packets over a period of time. This issue affects both the GlobalProtect portal and the GlobalProtect gateway.
This issue does not apply to Cloud NGFWs or Prisma Access software.
Product Status
Please note that PAN-OS 11.0, PAN-OS 10.0, PAN-OS 9.1, PAN-OS 9.0, and older releases have reached their software end-of-life (EoL) dates and are no longer evaluated for vulnerabilities and no fixes are planned. These versions are presumed to be affected.
Required Configuration for Exposure
This issue is applicable only to PAN-OS firewall configurations with an enabled GlobalProtect portal or gateway. You can verify whether you have a GlobalProtect portal or gateway configured on your firewall by checking entries in the firewall web interface (Network > GlobalProtect > Portals and Network > GlobalProtect > Gateways).
Severity:MEDIUM, Suggested Urgency:MODERATE
CVSS-BT:4.6 /CVSS-B:8.2 (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:C/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-400 Uncontrolled Resource Consumption
Solution
| Version | Minor Version | Suggested Solution |
|---|---|---|
| PAN-OS 11.0 | 11.0.0 through 11.0.1 | Upgrade to 11.0.2 or later |
| PAN-OS 10.2 | 10.2.0 through 10.2.4 | Upgrade to 10.2.5 or later |
| PAN-OS 10.1 | 10.1.0 through 10.1.14 | Upgrade to 10.1.14-h11 or later |
| All other older unsupported PAN-OS versions | Upgrade to a supported fixed version. |
Workarounds and Mitigations
No workaround or mitigation is available.
Acknowledgments
Palo Alto Networks thanks an external reporter for discovering and reporting the issue.
CPEs
cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h10:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h9:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h8:*:*:*:*:*:*
Timeline
Initial Publication
