CVE-2025-2182
BaseFortify
Publication date: 2025-08-13
Last updated on: 2025-08-13
Assigner: Palo Alto Networks, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| palo_alto_networks | pan-os | 11.1.5 |
| palo_alto_networks | pan-os | 11.1.7 |
| palo_alto_networks | pan-os | 11.1.1 |
| palo_alto_networks | pan-os | 11.1.6 |
| palo_alto_networks | pan-os | 11.1.8 |
| palo_alto_networks | pan-os | 11.2.5 |
| palo_alto_networks | pan-os | 11.1.3 |
| palo_alto_networks | pan-os | 11.1.9 |
| palo_alto_networks | pan-os | 11.2.2 |
| palo_alto_networks | pan-os | 11.1.0 |
| palo_alto_networks | pan-os | 11.1.4 |
| palo_alto_networks | pan-os | 11.2.4 |
| palo_alto_networks | pan-os | 11.1.2 |
| palo_alto_networks | pan-os | 11.2.3 |
| palo_alto_networks | pan-os | 11.2.6 |
| palo_alto_networks | pan-os | 11.2.7 |
| palo_alto_networks | pan-os | 11.2.1 |
| palo_alto_networks | pan-os | 11.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-312 | The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is due to a problem in the implementation of the MACsec protocol on Palo Alto Networks PAN-OS running on PA-7500 Series devices configured in an NGFW cluster. It causes the Connectivity Association Key (CAK) to be exposed in cleartext. An attacker who obtains this key can intercept and read communications between devices within the NGFW cluster. This issue does not affect non-clustered firewalls or clusters without MACsec enabled. [1]
How can this vulnerability impact me? :
The vulnerability impacts the confidentiality of communications within an NGFW cluster using MACsec on PA-7500 devices. An attacker with access to the exposed CAK can read messages sent between devices in the cluster, potentially leading to sensitive information disclosure. There is no impact on integrity or availability. The attack requires adjacent network access and high privileges but no user interaction. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade affected PA-7500 Series devices in NGFW clusters with MACsec enabled to PAN-OS version 11.2.8 or later, or 11.1.10 or later, depending on the version currently in use. No other workarounds or mitigations exist. [1]