CVE-2025-0126: PAN-OS: Session Fixation Vulnerability in GlobalProtect SAML Login (Severity: MEDIUM)
First published: Wed Apr 09 2025(Updated: )
When configured using SAML, a session fixation vulnerability in the GlobalProtect™ login enables an attacker to impersonate a legitimate authorized user and perform actions as that GlobalProtect user. This requires the legitimate user to first click on a malicious link provided by the attacker. The SAML login for the PAN-OS® management interface is not affected. Additionally, this issue does not affect Cloud NGFW and all Prisma® Access instances are proactively patched.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Palo Alto PAN-OS | ||
| Palo Alto Networks Cloud NGFW | ||
| Palo Alto PAN-OS | <11.2.3=11.2.0<11.1.5=11.1.0<11.0.6=11.0.0<10.2.10-h6=10.2.0<10.1.14-h11=10.1.0 | 11.2.3 11.1.5 11.0.6 10.2.10-h6 10.2.11 10.2.4-h25 10.2.9-h13 10.1.14-h11 |
Remedy
This issue can be mitigated using a different form of authentication for the GlobalProtect portal (such as Client Certificate Authentication, RADIUS, TACACS+, LDAP, or Kerberos). For more information about configuring authentication for the GlobalProtect portal see this technical documentation (https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-web-interface-help/globalprotect/network-globalprotect-portals/globalprotect-portals-authentication-configuration-tab).
Remedy
VERSION MINOR VERSION SUGGESTED SOLUTION PAN-OS 11.2 11.2.0 through 11.2.2 Upgrade to 11.2.3 or later PAN-OS 11.1 11.1.0 through 11.1.4 Upgrade to 11.1.5 or later PAN-OS 11.0 11.0.0 through 11.0.5 Upgrade to 11.0.6 or later PAN-OS 10.2 10.2.10 Upgrade to 10.2.10-h6 or 10.2.11 or later 10.2.5 through 10.2.9 Upgrade to 10.2.9-h13 or 10.2.11 or later 10.2.0 through 10.2.4 Upgrade to 10.2.4-h25 or 10.2.11 or later PAN-OS 10.1 10.1.0 through 10.1.14 Upgrade to 10.1.14-h11 or later All other older Upgrade to a supported fixed version. unsupported PAN-OS versions PAN-OS 11.0 is EoL. We listed it in this section for completeness because we added a patch for PAN-OS 11.0 before it reached EoL. If you are running PAN-OS 11.0 in any of your firewalls, we strongly recommend that you upgrade from this EoL vulnerable version to a fixed version. We proactively initiated an upgrade of Prisma Access on March 21, 2025, to cover all tenants.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2025-0126?
CVE-2025-0126 is regarded as a high-severity vulnerability due to its potential to enable session fixation attacks.
How do I fix CVE-2025-0126?
To remediate CVE-2025-0126, you should update to the fixed versions of PAN-OS listed in the advisory.
What products are affected by CVE-2025-0126?
CVE-2025-0126 affects Palo Alto Networks PAN-OS and Cloud NGFW products.
What type of attack does CVE-2025-0126 enable?
CVE-2025-0126 enables session fixation attacks that allow an attacker to impersonate legitimate users.
Is user interaction required for CVE-2025-0126 to be exploited?
Yes, CVE-2025-0126 requires the legitimate user to click on a malicious link provided by an attacker.
- collector/paloaltonetworks-latest
- source/Palo Alto Networks
- agent/references
- agent/source
- agent/last-modified-date
- agent/title
- agent/type
- agent/first-publish-date
- agent/event
- agent/guess-ai
- agent/software-canonical-lookup
- collector/paloaltonetworks-api
- agent/severity
- agent/weakness
- agent/remedy
- agent/softwarecombine
- agent/tags
- agent/description
- vendor/palo alto networks
- canonical/palo alto pan-os
- canonical/palo alto networks cloud ngfw
- version/palo alto pan-os/11.2.0
- version/palo alto pan-os/11.1.0
- version/palo alto pan-os/11.0.0
- version/palo alto pan-os/10.2.0
- version/palo alto pan-os/10.1.0