PAN-OS Flaw (CVE-2025-4619) Allows Unauthenticated Firewall Reboot via Single Crafted Packet

Palo Alto Networks has issued a security advisory for a newly discovered denial-of-service (DoS) vulnerability affecting several versions of PAN-OS — the operating system used across PA-Series, VM-Series, and Prisma Access firewalls. Tracked as CVE-2025-4619 and rated CVSS 6.6, the flaw can be exploited without authentication to remotely reboot a firewall by sending a single specially crafted packet through the dataplane.

According to Palo Alto Networks:

“A denial-of-service (DoS) vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to reboot a firewall by sending a specially crafted packet through the dataplane.”

The situation becomes more serious if the attacker repeatedly sends the packet:

“Repeated attempts to initiate a reboot causes the firewall to enter maintenance mode.”

Entering maintenance mode may disrupt traffic flows, break security enforcement, and require manual recovery — an unacceptable risk for organizations relying on these devices for perimeter security and threat prevention.

CVE-2025-4619 only impacts firewalls configured with either:

• URL proxy, or
• Any decrypt-policy (explicit decrypt, explicit no-decrypt, or any other decryption configuration)

Palo Alto Networks makes this requirement explicit:

“This issue is only applicable to firewalls where URL proxy or any decrypt-policy is configured.”

Furthermore:

“When any decrypt policy is configured, this issue may be encountered regardless of whether traffic matches explicit decrypt, explicit no-decrypt, or none of the decryption policies.”

Cloud NGFW deployments are unaffected.

The advisory includes extensive fix paths for PAN-OS versions 11.2, 11.1, and 10.2, as well as Prisma Access. Palo Alto Networks recommends upgrading to one of the hotfix or maintenance releases listed below.

PAN-OS 11.2

• Affected: 11.2.0 → 11.2.4

• Fixed in: 11.2.4-h4, 11.2.5, or later

PAN-OS 11.1

• Affected: 11.1.0 → 11.1.6

• Fixed in: 11.1.6-h1, 11.1.7, or higher
  (additional hotfix paths exist per minor version)

PAN-OS 10.2

• Affected: 10.2.0 → 10.2.13

• Fixed in: 10.2.13-h3, 10.2.14, or later

Cloud NGFW and PAN-OS 12.1 require no action.

Older unsupported versions require upgrading to a supported fixed release.

Prisma Access

• Fixed in: 11.2.4-h4 and 10.2.10-h14, depending on branch

As of publication, Palo Alto Networks reports no evidence of real-world abuse.

Related Posts:

• Google Proposes New Browser Security: Your Local Network, Your Permission!
• Palo Alto Networks Investigates Potential Remote Code Execution Vulnerability in PAN-OS
• Palo Alto Networks Warns of XSS Flaw with PoC Exploit Code
• Palo Alto Networks Raises Alarm on Firewall Vulnerability Following Active Exploitation