PAN-OS Packet Capture Allows Unlicensed View of Clear-Text HTTP/2 (Up to 11.0)
CVE-2025-0123 Published on April 11, 2025

PAN-OS: Information Disclosure Vulnerability in HTTP/2 Packet Captures
A vulnerability in the Palo Alto Networks PAN-OS® software enables unlicensed administrators to view clear-text data captured using the packet capture feature https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/take-packet-captures/take-a-custom-packet-capture in decrypted HTTP/2 data streams traversing network interfaces on the firewall. HTTP/1.1 data streams are not impacted. In normal conditions, decrypted packet captures are available to firewall administrators after they obtain and install a free Decryption Port Mirror license. The license requirement ensures that this feature can only be used after approved personnel purposefully activate the license. For more information, review how to configure decryption port mirroring https://docs.paloaltonetworks.com/network-security/decryption/administration/monitoring-decryption/configure-decryption-port-mirroring . The administrator must obtain network access to the management interface (web, SSH, console, or telnet) and successfully authenticate to exploit this issue. Risk of this issue can be greatly reduced by restricting access to the management interface to only trusted administrators and from only internal IP addresses according to our recommended critical deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . Customer firewall administrators do not have access to the packet capture feature in Cloud NGFW. This feature is available only to authorized Palo Alto Networks personnel permitted to perform troubleshooting. Prisma® Access is not impacted by this vulnerability.

Vendor Advisory NVD

Timeline

2025-04-09

Initial Publication

Weakness Type

Cleartext Storage of Sensitive Information

The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere. Because the information is stored in cleartext, attackers could potentially read it. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.

Products Associated with CVE-2025-0123

Want to know whenever a new CVE is published for Palo Alto Networks PAN-OS? stack.watch will email you.

Palo Alto Networks PAN-OS

Affected Versions

Palo Alto Networks Cloud NGFW:

Version All is unaffected.

Palo Alto Networks PAN-OS:

Version 11.2.0 and below 11.2.6 is affected.
Version 11.1.0 and below 11.1.8 is affected.
Version 10.2.0 and below 10.2.15 is affected.
Version 10.1.0 and below 10.1.14-h13 is affected.

Palo Alto Networks Prisma Access:

Version All is unaffected.

Exploit Probability

EPSS

0.06%

Percentile

17.28%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.