CVE-2025-0136 MEDIUM

CVE-2025-0136: PAN-OS: Unencrypted Data Transfer when using AES-128-CCM on Intel-based hardware devices

Vendor Palo Alto Networks
Product PAN-OS
Weakness CWE-319 · Cleartext transmission
Published May 14, 2025
Last update May 14, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber

What the vulnerability does

01Description

Using the AES-128-CCM algorithm for IPSec on certain Palo Alto Networks PAN-OS® firewalls (PA-7500, PA-5400, PA-5400f, PA-3400, PA-1600, PA-1400, and PA-400 Series) leads to unencrypted data transfer to devices that are connected to the PAN-OS firewall through IPSec. This issue does not affect Cloud NGFWs, Prisma® Access instances, or PAN-OS VM-Series firewalls. NOTE: The AES-128-CCM encryption algorithm is not recommended for use.

Key dates

02Disclosure timeline

May 14, 2025 CVE published
May 14, 2025 Record updated