PAN-OS: Firewall Denial of Service (DoS) Using Specially Crafted Packets

Plan Patch8.7CVE-2025-4619Nov 12, 2025

Palo Alto Networks

IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries

Summary

A denial-of-service vulnerability in Palo Alto Networks Prisma Access software allows an unauthenticated attacker to reboot a firewall by sending a specially crafted packet through the dataplane. Repeated reboot attempts cause the firewall to enter maintenance mode, disrupting network operations. The issue affects Prisma Access versions below 11.2.2-h2, 11.2.3-h6, 11.2.4-h4, and 11.2.5, depending on the version track deployed. PA-Series and VM-Series firewalls running vulnerable PAN-OS versions are also affected.

What this means

What could happen

An unauthenticated attacker can send specially crafted packets to reboot your firewall without credentials, disrupting network traffic and potentially preventing communication between sites or branch offices connected through Prisma Access. Repeated attacks could force the firewall into maintenance mode, requiring manual intervention to restore operation.

Who's at risk

Organizations using Palo Alto Networks Prisma Access (cloud-delivered security platform for branch and remote user connectivity) should prioritize patching. This affects any site or remote office relying on Prisma Access for perimeter security, including branch firewalls, remote access gateways, and SD-WAN edge devices.

How it could be exploited

An attacker on the network path to your firewall (or with routing visibility to it) sends a specially crafted packet targeting the dataplane. The firewall processes the malformed packet and crashes, triggering an automatic reboot. The attacker can repeat this to force the firewall into maintenance mode, effectively blocking traffic.

Prerequisites

Network reachability to the firewall's dataplane interface
No authentication required

Remotely exploitableNo authentication requiredLow complexity attackAffects cloud security platform used by enterprises

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

Prisma AccessBelow 11.2.2-h211.2.2-h2+

Prisma AccessBelow 11.2.3-h611.2.3-h6+

Prisma AccessBelow 11.2.4-h411.2.4-h4+

Prisma AccessBelow 11.2.511.2.5+

Remediation & Mitigation

0/3

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Prisma Access

HOTFIXUpdate Prisma Access to version 11.2.2-h2 or later (or 11.2.3-h6, 11.2.4-h4, or 11.2.5 depending on your current version track)

Long-term hardening

0/2

HARDENINGImplement network segmentation to restrict direct network access to firewall dataplane interfaces from untrusted sources

HARDENINGMonitor firewall reboot logs and alerts for repeated unexpected reboot events, which may indicate active exploitation attempts

CVEs (1)

CVE-2025-4619

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6c96435c-37e0-404e-9d9a-83893c7a7cc6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.