PAN-OS: Session Token Disclosure Vulnerability
Monitor4.8CVE-2025-4614Oct 8, 2025
Palo Alto Networks
IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries
Summary
An information disclosure vulnerability in PAN-OS allows an authenticated administrator to view session tokens of users authenticated to the firewall web UI. These tokens could enable impersonation and unauthorized firewall management. The risk is minimized when CLI access is restricted to a limited group of administrators.
What this means
What could happen
An authenticated administrator with CLI access could view session tokens of other firewall web UI users, enabling account takeover and unauthorized firewall management changes.
Who's at risk
Network security teams managing Palo Alto Networks Prisma Access deployments should prioritize this issue. The vulnerability affects firewall administrators and users whose session tokens could be exposed via insider access to the CLI.
How it could be exploited
An attacker with valid administrator CLI credentials connects to the firewall command line interface and executes commands that expose active session tokens. These tokens can then be used to impersonate legitimate firewall administrators in the web UI.
Prerequisites
- Valid administrative CLI credentials for the PAN-OS device
- Network access to the firewall's CLI port (SSH or serial console)
- Target device running PAN-OS below version 11.2.8
Requires valid administrative credentialsInformation disclosure (session token leakage)Low CVSS score (4.8)
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (1)
ProductAffected VersionsFix Status
Prisma AccessBelow 11.2.811.2.8+
Remediation & Mitigation
0/3
Do now
0/2HARDENINGRestrict CLI access to a minimal set of trusted administrators using firewall access control lists or jump host controls
WORKAROUNDReview firewall admin access logs for unauthorized CLI sessions
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate Prisma Access to version 11.2.8 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ccff9b0f-fcf5-4bb2-9ef8-89a1ff10824fGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.