CVE-2025-2182 MEDIUM

CVE-2025-2182: PAN-OS: Firewall Clusters using the MACsec Protocol Expose the Connectivity Association Key (CAK)

Vendor Palo Alto Networks
Product PAN-OS
Weakness CWE-312 · Cleartext storage
Published August 13, 2025
Last update August 13, 2025

CVSS base score

5.6/10
Attack vector Physical
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:P/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/AU:N/R:A/V:D/RE:M/U:Amber

What the vulnerability does

01Description

A problem with the implementation of the MACsec protocol in Palo Alto Networks PAN-OS® results in the cleartext exposure of the connectivity association key (CAK). This issue is only applicable to PA-7500 Series devices which are in an NGFW cluster. A user who possesses this key can read messages being sent between devices in a NGFW Cluster. There is no impact in non-clustered firewalls or clusters of firewalls that do not enable MACsec.

Key dates

02Disclosure timeline

August 13, 2025 CVE published
August 13, 2025 Record updated