PAN-OS: Firewall Clusters using the MACsec Protocol Expose the Connectivity Association Key (CAK)
Monitor6.8CVE-2025-2182Aug 13, 2025
Palo Alto Networks
IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries
Summary
A vulnerability in the MACsec protocol implementation in PAN-OS on PA-7500 Series firewalls results in the Connectivity Association Key (CAK) being exposed in cleartext. An attacker with access to the CAK can decrypt and read messages being sent between devices in a firewall cluster. This issue only applies to PA-7500 Series devices configured in an NGFW cluster using MACsec; non-clustered firewalls and clusters not using MACsec are not affected.
What this means
What could happen
An attacker with the exposed CAK could intercept and read all encrypted traffic between clustered PA-7500 firewalls, potentially exposing sensitive network communications passing through the cluster. This only affects firewalls using MACsec clustering; standalone or non-MACsec clustered devices are not vulnerable.
Who's at risk
Mid-size utilities and municipalities running Palo Alto Networks PA-7500 Series firewalls in clustered NGFW deployments with MACsec enabled. This affects organizations that have configured multi-unit firewall clusters for redundancy or load balancing and rely on MACsec for inter-device encryption. Standalone firewalls or clusters without MACsec are not affected.
How it could be exploited
An attacker who obtains the cleartext CAK (through configuration file access, memory dumps, or network inspection) can decrypt inter-cluster communications on the PA-7500 cluster. This requires direct access to the cluster infrastructure or ability to read the firewall configuration where the key is exposed.
Prerequisites
- Access to PA-7500 firewall configuration files or memory where the CAK is stored in cleartext
- Firewalls must be configured in a cluster using MACsec protocol
- Network position to intercept cluster communication traffic
Affects clustering securityNo authentication required to exploit if attacker gains configuration accessLow complexity to exploit once CAK is obtainedNo patch available for Prisma Access
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (3)
2 with fix1 EOL
ProductAffected VersionsFix Status
PAN-OSBelow 11.2.8 on PA-750011.2.8 on PA-7500+
PAN-OSBelow 11.1.10 on PA-750011.1.10 on PA-7500+
Prisma AccessNone on PA-7500No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2WORKAROUNDIf MACsec clustering is not required, disable MACsec on PA-7500 clusters to eliminate the exposure
HARDENINGRestrict physical and remote access to PA-7500 firewall management interfaces and configuration backups to prevent unauthorized CAK exposure
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
PAN-OS
HOTFIXUpdate PA-7500 devices running PAN-OS 11.2.x to version 11.2.8 or later
HOTFIXUpdate PA-7500 devices running PAN-OS 11.1.x to version 11.1.10 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8bfe4fd3-34f8-4af8-983e-8d99de06e844Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.