Palo Alto Networks PAN-OS 10.1.x < 10.1.14-h11 / 10.2.x < 10.2.10-h6 / 11.0.x < 11.0.6 / 11.1.x < 11.1.5 / 11.2.x < 11.2.3 Vulnerability

🗓️ 09 Apr 2025 00:00:00Reported by TenableType

Palo Alto Networks PAN-OS versions below specified are vulnerable to session fixation attacks via SAML.

Reporter	Title	Published	Views	Family All 11
BDU FSTEC	The vulnerability of the SAML (Security Assertion Markup Language) technology in the PAN-OS operating system allows a perpetrator to increase their privileges.	23 Apr 202500:00	–	bdu_fstec
Circl	CVE-2025-0126	9 Apr 202514:00	–	circl
CNNVD	Palo Alto Networks PAN-OS 授权问题漏洞	11 Apr 202500:00	–	cnnvd
CVE	CVE-2025-0126	11 Apr 202501:57	–	cve
Cvelist	CVE-2025-0126 PAN-OS: Session Fixation Vulnerability in GlobalProtect SAML Login	11 Apr 202501:57	–	cvelist
EUVD	EUVD-2025-15135	3 Oct 202520:07	–	euvd
NVD	CVE-2025-0126	11 Apr 202502:15	–	nvd
Palo Alto Networks	PAN-OS: Session Fixation Vulnerability in GlobalProtect SAML Login	9 Apr 202516:00	–	paloalto
Positive Technologies	PT-2025-16006 · Palo Alto Networks · Globalprotect	9 Apr 202500:00	–	ptsecurity
RedhatCVE	CVE-2025-0126	13 Apr 202502:27	–	redhatcve

Source	Link
security	www.security.paloaltonetworks.com/CVE-2025-0126
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(234100);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/06/12");

  script_cve_id("CVE-2025-0126");
  script_xref(name:"IAVA", value:"2025-A-0257-S");

  script_name(english:"Palo Alto Networks PAN-OS 10.1.x < 10.1.14-h11 / 10.2.x < 10.2.10-h6 / 11.0.x < 11.0.6 / 11.1.x < 11.1.5 / 11.2.x < 11.2.3 Vulnerability");

  script_set_attribute(attribute:"synopsis", value:
"The remote PAN-OS host is affected by a vulnerability");
  script_set_attribute(attribute:"description", value:
"The version of Palo Alto Networks PAN-OS running on the remote host is 10.1.x prior to 10.1.14-h11 or 10.2.x prior to
10.2.10-h6 or 11.0.x prior to 11.0.6 or 11.1.x prior to 11.1.5 or 11.2.x prior to 11.2.3. It is, therefore, affected by
a vulnerability.

    When configured using SAML, a session fixation vulnerability in the GlobalProtect login enables an
    attacker to impersonate a legitimate authorized user and perform actions as that GlobalProtect user. This
    requires the legitimate user to first click on a malicious link provided by the attacker.

    The SAML login for the PAN-OS management interface is not affected. Additionally, this issue does not
    affect Cloud NGFW and all Prisma Access instances are proactively patched.

Tenable has extracted the preceding description block directly from the PAN-OS security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://security.paloaltonetworks.com/CVE-2025-0126");
  script_set_attribute(attribute:"solution", value:
"Upgrade to PAN-OS 10.1.14-h11 / 10.2.10-h6 / 11.0.6 / 11.1.5 / 11.2.3 or later");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:H/SC:H/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_supplemental", value:"CVSS:4.0/AU:N/R:U/V:D/RE:M/U:Amber");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:U");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-0126");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(384);

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/04/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/04/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/04/09");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:paloaltonetworks:pan-os");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Palo Alto Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("palo_alto_version.nbin");
  script_require_keys("Host/Palo_Alto/Firewall/Version", "Host/Palo_Alto/Firewall/Full_Version", "Host/Palo_Alto/Firewall/Source", "Settings/ParanoidReport");

  exit(0);
}

include('vcf.inc');
include('vcf_extras.inc');

vcf::palo_alto::initialize();

var app_name = 'Palo Alto Networks PAN-OS';

var app_info = vcf::get_app_info(app:app_name, kb_ver:'Host/Palo_Alto/Firewall/Full_Version', kb_source:'Host/Palo_Alto/Firewall/Source');

if (report_paranoia < 2) audit(AUDIT_PARANOID);

var constraints = [
  { 'min_version' : '10.1.0', 'fixed_version' : '10.1.14-h11' },
  { 'min_version' : '10.2.0', 'fixed_version' : '10.2.10-h6' },
  { 'min_version' : '11.0.0', 'fixed_version' : '11.0.6' },
  { 'min_version' : '11.1.0', 'fixed_version' : '11.1.5' },
  { 'min_version' : '11.2.0', 'fixed_version' : '11.2.3' }
];

vcf::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_WARNING
);

12 Jun 2025 00:00Current

5.6Medium risk

Vulners AI Score5.6

CVSS 48.3

EPSS0.00324

SSVC