CVE-2025-0136

PAN-OS: Unencrypted Data Transfer when using AES-128-CCM on Intel-based hardware devices

Description

Using the AES-128-CCM algorithm for IPSec on certain Palo Alto Networks PAN-OS® firewalls (PA-7500, PA-5400, PA-5400f, PA-3400, PA-1600, PA-1400, and PA-400 Series) leads to unencrypted data transfer to devices that are connected to the PAN-OS firewall through IPSec. This issue does not affect Cloud NGFWs, Prisma® Access instances, or PAN-OS VM-Series firewalls. NOTE: The AES-128-CCM encryption algorithm is not recommended for use.

Remediation

Solution:

  • Version Minor Version Suggested Solution PAN-OS 11.2 No action needed PAN-OS 11.111.1.0 through 11.1.4 Upgrade to 11.1.5 or laterPAN-OS 11.0 11.0.0 through 11.0.6 Upgrade to 11.0.7 or later PAN-OS 10.2 10.2.0 through 10.2.10Upgrade to 10.2.11 or laterPAN-OS 10.1 10.1.0 through 10.1.14 Upgrade to 10.1.14-h14 or later All other older unsupported PAN-OS versions Upgrade to a supported fixed version. PAN-OS 11.0 is EoL. We listed it in this section for completeness and because we added a patch for PAN-OS 11.0 before it reached EoL. If you are running PAN-OS 11.0 on any of your firewalls, though, we strongly recommend that you upgrade to a supported (non-EoL) fixed version.

Workaround:

  • Configure IPSec Crypto encryption to an algorithm that meets current security standards, such as AES-256-GCM or AES-256-CBC, on PA 7500, PA 5400, PA 5400f, PA 3400, PA 1600, PA 1400, and PA 400 series hardware PAN-OS firewalls. For more information on configuring the IPSec Crypto Profiles see our documentation https://docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/set-up-site-to-site-vpn/define-cryptographic-profiles/define-ipsec-crypto-profiles .

Category

5.3
CVSS
Severity: Medium
CVSS 4.0 •
EPSS 0.01%
Vendor Advisory paloaltonetworks.com
Affected: Palo Alto Networks Cloud NGFW
Affected: Palo Alto Networks PAN-OS
Affected: Palo Alto Networks Prisma Access
Published at:
Updated at:

References

Link Tags
https://security.paloaltonetworks.com/CVE-2025-0136 vendor advisory

Frequently Asked Questions

What is the severity of CVE-2025-0136?
CVE-2025-0136 has been scored as a medium severity vulnerability.
How to fix CVE-2025-0136?
To fix CVE-2025-0136: Version Minor Version Suggested Solution PAN-OS 11.2 No action needed PAN-OS 11.111.1.0 through 11.1.4 Upgrade to 11.1.5 or laterPAN-OS 11.0 11.0.0 through 11.0.6 Upgrade to 11.0.7 or later PAN-OS 10.2 10.2.0 through 10.2.10Upgrade to 10.2.11 or laterPAN-OS 10.1 10.1.0 through 10.1.14 Upgrade to 10.1.14-h14 or later All other older unsupported PAN-OS versions Upgrade to a supported fixed version. PAN-OS 11.0 is EoL. We listed it in this section for completeness and because we added a patch for PAN-OS 11.0 before it reached EoL. If you are running PAN-OS 11.0 on any of your firewalls, though, we strongly recommend that you upgrade to a supported (non-EoL) fixed version.
Is CVE-2025-0136 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-0136 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-0136?
CVE-2025-0136 affects Palo Alto Networks Cloud NGFW, Palo Alto Networks PAN-OS, Palo Alto Networks Prisma Access.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.