Palo Alto Networks has disclosed a medium-severity denial-of-service (DoS) vulnerability in its PAN-OS software, tracked as CVE-2025-4619, that allows unauthenticated attackers to reboot firewalls via specially crafted packets remotely.
Published on November 12, 2025, this flaw affects PA-Series and VM-Series firewalls and specific Prisma Access deployments, potentially disrupting network operations if exploited repeatedly and leading to maintenance mode.
While no malicious exploitation has been reported yet, the issue underscores the risks posed by unpatched network security appliances, especially in environments that rely on Palo Alto’s next-generation firewalls for threat prevention.
Vulnerability Details and Scope
CVE-2025-4619 stems from an improper check for unusual conditions (CWE-754), allowing pointer manipulation (CAPEC-129) in the dataplane processing.
An attacker can send a single malicious packet to trigger an immediate firewall reboot, with successive attempts forcing the device into maintenance mode, halting traffic inspection and enforcement.
This vulnerability requires specific configurations: firewalls with URL proxy enabled or any decryption policy, including explicit decrypt, no-decrypt, or unmatched policies.
It affects PAN-OS versions across branches, including 11.2 (below 11.2.5), 11.1 (up to 11.1.7 in specific hotfixes), and 10.2 (up to 10.2.14, excluding early 10.2.4-h25 and prior). PAN-OS 12.1, 10.1, and all Cloud NGFW remain unaffected.
The CVSS v4.0 base score is 6.6 (Medium), reflecting network attack vector, low complexity, no privileges or user interaction needed, and high impact on availability without affecting confidentiality or integrity.
Automatable and concentrated value density make it a moderate urgency for remediation, rated as user recovery with unreported exploit maturity.
For Prisma Access, vulnerabilities apply to PAN-OS 11.2 below 11.2.4-h4 and 10.2 below 10.2.10-h14.
However, Palo Alto has upgraded most customers and is scheduling the rest promptly. Discovered in production, the flaw was assigned reference PAN-247099.
Impact Assessment and Remediation Steps
The primary impact is operational disruption: a reboot can interrupt critical security functions, exposing networks to threats during downtime.
In high-traffic environments, repeated attacks could cascade into prolonged outages, amplifying risks for organizations using these firewalls at perimeters or in cloud setups.
No data loss or unauthorized access occurs, but the concentrated attack surface on decryption-enabled devices heightens urgency for exposed users.
Palo Alto recommends immediate upgrades as the sole solution, with no workarounds available. For PAN-OS 11.2, upgrade to 11.2.4-h4, 11.2.5, or later; for 11.1, target 11.1.4-h13, 11.1.6-h1, or 11.1.7 depending on the minor version.
In 10.2, options include 10.2.7-h24, 10.2.8-h21, up to 10.2.14, while older than 10.2.4-h25 are safe but unsupported. Unsupported legacy versions should migrate to supported fixed releases.
Prisma Access users on affected 10.2 or 11.2 should upgrade to 10.2.10-h14 or 11.2.4-h4.
Administrators must verify configurations, test patches in staging, and monitor for anomalous reboots.
Given the low barrier to entry no authentication needed prompt action prevents potential abuse in automated attack scenarios.
This vulnerability highlights the evolving threats to firewall stability, urging security teams to prioritize dataplane integrity in their patching cycles.
 vulnerability in its PAN-OS software, tracked as CVE-2025-4619){kind=link}