Palo Alto Networks PAN-OS
Easy fix5 remedies
cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*
Easy fix5 remedies
- >= 11.1.0, <= 11.1.4
- >= 11.0.0, <= 11.0.6
- >= 10.2.0, <= 10.2.10
- >= 10.1.0, <= 10.1.14-h14
Palo Alto Networks PAN-OS Unencrypted Data Transfer Vulnerability with AES-128-CCM on Intel-Based Firewalls
Vulnerability
Patched
A vulnerability exists in certain Palo Alto Networks PAN-OS firewalls, specifically on Intel-based hardware devices, when the AES-128-CCM algorithm is used for IPSec. This vulnerability results in unencrypted data being transferred to devices connected through IPSec. Affected firewall models include the PA-7500, PA-5400, PA-5400f, PA-3400, PA-1600, PA-1400, and PA-400 Series. The issue does not impact Cloud NGFWs, Prisma Access instances, or PAN-OS VM-Series firewalls. It is important to note that the AES-128-CCM encryption algorithm is not recommended for use.
Impact
Exploitation of this vulnerability leads to cleartext transmission of data over IPSec, allowing interception of unencrypted information by connected devices.
Remediation
Users can upgrade to PAN-OS versions 11.1.5, 11.0.7, 10.2.11, or 10.1.14-h14, depending on their current version. For those on an older unsupported PAN-OS version, upgrading to a supported fixed version is recommended. As a workaround, IPSec Crypto encryption can be configured to use a more secure algorithm, such as AES-256-GCM or AES-256-CBC.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
5.7impact
0.0exploitability
4.9remediation
8.3relevance
0.0threat
0.0urgency
5.7incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.