CVE-2025-0122 Prisma SD-WAN: Denial of Service (DoS) Vulnerability Through Burst of Crafted Packets (Severity: MEDIUM)

Palo Alto Networks Security Advisories

CVE-2025-0122

CVE-2025-0122 Prisma SD-WAN: Denial of Service (DoS) Vulnerability Through Burst of Crafted Packets

Exploit MaturityUNREPORTED

Response EffortLOW

RecoveryAUTOMATIC

Value DensityDIFFUSE

Attack VectorADJACENT

Attack ComplexityLOW

Attack RequirementsNONE

AutomatableYES

User InteractionNONE

Product ConfidentialityNONE

Product IntegrityNONE

Product AvailabilityHIGH

Privileges RequiredNONE

Subsequent ConfidentialityNONE

Subsequent IntegrityNONE

Subsequent AvailabilityNONE

CVE JSON CSAF

Published2025-04-09

Updated2025-04-09

ReferenceCGSDW-23881

Discoveredinternally

Description

A denial-of-service (DoS) vulnerability in Palo Alto Networks Prisma® SD-WAN ION devices enables an unauthenticated attacker in a network adjacent to a Prisma SD-WAN ION device to disrupt the packet processing capabilities of the device by sending a burst of crafted packets to that device.

Product Status

We do not plan to fix this issue in Prisma SD-WAN 6.2. If you are using Prisma SD-WAN 6.2, we recommend that you upgrade to Prisma SD-WAN 6.3.4, Prisma SD-WAN 6.4.2, or Prisma SD-WAN 6.5.1.

Required Configuration for Exposure

No special configuration is needed to be vulnerable to this issue.

Severity:MEDIUM, Suggested Urgency:MODERATE

CVSS-BT:4.9 /CVSS-B:7.1 (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:A/V:D/RE:L/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type and Impact

CWE-770 Allocation of Resources Without Limits or Throttling

CAPEC-482 TCP Flood

Solution

Version	Suggested Solution
Prisma SD-WAN 6.5	Upgrade to Prisma SD-WAN 6.5.1 or later
Prisma SD-WAN 6.4	Upgrade to Prisma SD-WAN 6.4.2 or later
Prisma SD-WAN 6.3	Upgrade to Prisma SD-WAN 6.3.4 or later
Prisma SD-WAN 6.2	Upgrade to Prisma SD-WAN 6.3.4 or later
Prisma SD-WAN 6.1	Upgrade to Prisma SD-WAN 6.1.10 or later

Workarounds and Mitigations

There are no known workarounds for this issue.

Acknowledgments

Palo Alto Networks thanks Vajrapu Venkata Sarat Kumar of Palo Alto Networks for discovering and reporting the issue.

CPEs

cpe:2.3:undefined:paloaltonetworks:prisma_sd-wan:6.5.0:-:*:*:*:*:*:*

cpe:2.3:undefined:paloaltonetworks:prisma_sd-wan:6.4.0:-:*:*:*:*:*:*

cpe:2.3:undefined:paloaltonetworks:prisma_sd-wan:6.4.1:-:*:*:*:*:*:*

cpe:2.3:undefined:paloaltonetworks:prisma_sd-wan:6.3.0:-:*:*:*:*:*:*

cpe:2.3:undefined:paloaltonetworks:prisma_sd-wan:6.3.1:-:*:*:*:*:*:*

cpe:2.3:undefined:paloaltonetworks:prisma_sd-wan:6.3.2:-:*:*:*:*:*:*

cpe:2.3:undefined:paloaltonetworks:prisma_sd-wan:6.3.3:-:*:*:*:*:*:*

cpe:2.3:undefined:paloaltonetworks:prisma_sd-wan:6.1.0:-:*:*:*:*:*:*

cpe:2.3:undefined:paloaltonetworks:prisma_sd-wan:6.1.1:-:*:*:*:*:*:*

cpe:2.3:undefined:paloaltonetworks:prisma_sd-wan:6.1.2:-:*:*:*:*:*:*

cpe:2.3:undefined:paloaltonetworks:prisma_sd-wan:6.1.3:-:*:*:*:*:*:*

cpe:2.3:undefined:paloaltonetworks:prisma_sd-wan:6.1.4:-:*:*:*:*:*:*

cpe:2.3:undefined:paloaltonetworks:prisma_sd-wan:6.1.5:-:*:*:*:*:*:*

cpe:2.3:undefined:paloaltonetworks:prisma_sd-wan:6.1.6:-:*:*:*:*:*:*

cpe:2.3:undefined:paloaltonetworks:prisma_sd-wan:6.1.7:-:*:*:*:*:*:*

cpe:2.3:undefined:paloaltonetworks:prisma_sd-wan:6.1.8:-:*:*:*:*:*:*

cpe:2.3:undefined:paloaltonetworks:prisma_sd-wan:6.1.9:-:*:*:*:*:*:*

Show MoreShow Less

Timeline

2025-04-09Initial Publication