Palo Alto Networks Security Advisories / CVE-2025-0122

CVE-2025-0122 Prisma SD-WAN: Denial of Service (DoS) Vulnerability Through Burst of Crafted Packets

Urgency MODERATE

047910
Severity 4.9 · MEDIUM
Exploit Maturity UNREPORTED
Response Effort LOW
Recovery AUTOMATIC
Value Density DIFFUSE
Attack Vector ADJACENT
Attack Complexity LOW
Attack Requirements NONE
Automatable YES
User Interaction NONE
Product Confidentiality NONE
Product Integrity NONE
Product Availability HIGH
Privileges Required NONE
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability NONE
CVE JSON CSAF
Published 2025-04-09
Updated 2025-04-15
Reference CGSDW-23881
Discovered internally

Description

A denial-of-service (DoS) vulnerability in Palo Alto Networks Prisma® SD-WAN ION devices enables an unauthenticated attacker in a network adjacent to a Prisma SD-WAN ION device to disrupt the packet processing capabilities of the device by sending a burst of crafted packets to that device.

Product Status

VersionsAffectedUnaffected
Prisma SD-WAN 6.5< 6.5.1>= 6.5.1
Prisma SD-WAN 6.4< 6.4.2>= 6.4.2
Prisma SD-WAN 6.3< 6.3.4>= 6.3.4
Prisma SD-WAN 6.2AllNone
Prisma SD-WAN 6.1< 6.1.10>= 6.1.10
Prisma SD-WAN 5.6AllNone

Prisma SD-WAN 6.2 will reach its software end-of-life (EoL) date on 4 May 2025. Therefore we do not plan to fix this issue in Prisma SD-WAN 6.2. If you are using Prisma SD-WAN 6.2, we recommend that you upgrade to Prisma SD-WAN 6.3.4, Prisma SD-WAN 6.4.2, or Prisma SD-WAN 6.5.1.
Prisma SD-WAN 5.6 will reach its software end-of-life (EoL) date on 1 June 2025. Therefore we do not plan to fix this issue in Prisma SD-WAN 5.6. If you are using Prisma SD-WAN 5.6, we recommend that you upgrade to Prisma SD-WAN 6.3.4, Prisma SD-WAN 6.4.2, or Prisma SD-WAN 6.5.1.

Required Configuration for Exposure

No special configuration is needed to be vulnerable to this issue.

Severity: MEDIUM, Suggested Urgency: MODERATE

CVSS-BT: 4.9 / CVSS-B: 7.1 (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:A/V:D/RE:L/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type and Impact

CWE-770 Allocation of Resources Without Limits or Throttling

CAPEC-482 TCP Flood

Solution

VersionSuggested Solution
Prisma SD-WAN 6.5Upgrade to Prisma SD-WAN 6.5.1 or later
Prisma SD-WAN 6.4
Upgrade to Prisma SD-WAN 6.4.2 or later
Prisma SD-WAN 6.3Upgrade to Prisma SD-WAN 6.3.4 or later
Prisma SD-WAN 6.2Upgrade to Prisma SD-WAN 6.3.4 or later
Prisma SD-WAN 6.1Upgrade to Prisma SD-WAN 6.1.10 or later
Prisma SD-WAN 5.6Upgrade to Prisma SD-WAN 6.3.4 or later

Workarounds and Mitigations

There are no known workarounds for this issue.

Acknowledgments

Palo Alto Networks thanks Vajrapu Venkata Sarat Kumar of Palo Alto Networks for discovering and reporting the issue.

Timeline

Added information regarding Prisma SD-WAN 5.6
Initial Publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure PolicyReport vulnerabilitiesManage subscriptions
© 2025 Palo Alto Networks, Inc. All rights reserved.