CVE-2025-0114 PAN-OS: Denial of Service (DoS) in GlobalProtect
Description
A Denial of Service (DoS) vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software enables an unauthenticated attacker to render the service unavailable by sending a large number of specially crafted packets over a period of time. This issue affects both the GlobalProtect portal and the GlobalProtect gateway.
This issue does not apply to Cloud NGFWs or Prisma Access software.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 11.2 | None | All |
| PAN-OS 11.1 | None | All |
| PAN-OS 11.0 | < 11.0.2 | >= 11.0.2 |
| PAN-OS 10.2 | < 10.2.5 | >= 10.2.5 |
| PAN-OS 10.1 | < 10.1.14-h11 | >= 10.1.14-h11 |
| Prisma Access | None | All |
Please note that PAN-OS 11.0, PAN-OS 10.0, PAN-OS 9.1, PAN-OS 9.0, and older releases have reached their software end-of-life (EoL) dates and are no longer evaluated for vulnerabilities and no fixes are planned. These versions are presumed to be affected.
Required Configuration for Exposure
This issue is applicable only to PAN-OS firewall configurations with an enabled GlobalProtect portal or gateway. You can verify whether you have a GlobalProtect portal or gateway configured on your firewall by checking entries in the firewall web interface (Network > GlobalProtect > Portals and Network > GlobalProtect > Gateways).
Severity: MEDIUM, Suggested Urgency: MODERATE
CVSS-BT: 4.6 / CVSS-B: 8.2 (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:C/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-400 Uncontrolled Resource Consumption
Solution
| Version | Minor Version | Suggested Solution |
|---|---|---|
| PAN-OS 11.0 | 11.0.0 through 11.0.1 | Upgrade to 11.0.2 or later |
| PAN-OS 10.2 | 10.2.0 through 10.2.4 | Upgrade to 10.2.5 or later |
| PAN-OS 10.1 | 10.1.0 through 10.1.14 | Upgrade to 10.1.14-h11 or later |
| All other older unsupported PAN-OS versions | Upgrade to a supported fixed version. |
Workarounds and Mitigations
No workaround or mitigation is available.
Acknowledgments
CPEs
cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h10:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h9:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h8:*:*:*:*:*:*