Published: 11/04/2025 Updated: 15/04/2025

Palo Alto Networks PAN-OS Unauthorized Packet Capture Data Disclosure Vulnerability

A vulnerability exists in Palo Alto Networks PAN-OS® software that allows unlicensed administrators to view clear-text data in decrypted HTTP/2 data streams on network firewall interfaces. Under normal circumstances, decrypted packet captures require a free Decryption Port Mirror license to be accessed by firewall administrators. To exploit this issue, an administrator must first gain network access to the management interface and successfully authenticate. The vulnerability only affects HTTP/2 data streams, with HTTP/1.1 streams remaining unaffected. Palo Alto Networks recommends reducing risk by restricting management interface access to trusted administrators from internal IP addresses. Cloud NGFW customer firewall administrators cannot access the packet capture feature, which remains available only to authorized Palo Alto Networks personnel for troubleshooting purposes. Prisma® Access is not impacted by this vulnerability.

This issue is fixed in PAN-OS 10.1.14-h13, PAN-OS 10.2.15, PAN-OS 11.1.8, PAN-OS 11.2.6, and all later PAN-OS versions.

Version
Minor Version
Suggested Solution
PAN-OS 11.2
11.2.0 through 11.2.5Upgrade to 11.2.6 or later.
PAN-OS 11.111.1.0 through 11.1.7
Upgrade to 11.1.8 or later.PAN-OS 11.0 (EoL)

Upgrade to a supported fixed version.
PAN-OS 10.2
10.2.0 through 10.2.14
Upgrade to 10.2.15 or later.

PAN-OS 10.1
10.1.0 through 10.1.14-h11
Upgrade to 10.1.14-h13 or later.
All other older
unsupported
PAN-OS versions Upgrade to a supported fixed version.
To fully remediate risk, you must delete all pre-existing packet capture files stored on the firewall after you upgrade to a fixed PAN-OS version. This task can be performed through the PAN-OS web interface or through the PAN-OS CLI.Using the Web Interface:

1. Select Monitor > Packet Capture > Captured Files > (Select All) and Delete the files.
2. Select Yes when prompted by the confirmation dialog.Using the PAN-OS CLI:

1. Enter the following operational command:
> delete debug-filter file *

2. A confirmation prints to the terminal and indicates that all packet capture files were successfully deleted from the firewall:
successfully removed *

Vulnerable Product	Search on Vulmon	Subscribe to Product
paloaltonetworks pan-os 11.2.5
paloaltonetworks pan-os 11.2.4
paloaltonetworks pan-os 11.2.3
paloaltonetworks pan-os 11.2.2
paloaltonetworks pan-os 11.2.1
paloaltonetworks pan-os 11.2.0
paloaltonetworks pan-os 11.1.6
paloaltonetworks pan-os 11.1.5
paloaltonetworks pan-os 11.1.4
paloaltonetworks pan-os 11.1.3
paloaltonetworks pan-os 11.1.2
paloaltonetworks pan-os 11.1.1
paloaltonetworks pan-os 11.1.0
paloaltonetworks pan-os 10.2.14
paloaltonetworks pan-os 10.2.13
paloaltonetworks pan-os 10.2.12
paloaltonetworks pan-os 10.2.11
paloaltonetworks pan-os 10.2.10
paloaltonetworks pan-os 10.2.9
paloaltonetworks pan-os 10.2.8
paloaltonetworks pan-os 10.2.7
paloaltonetworks pan-os 10.2.6
paloaltonetworks pan-os 10.2.5
paloaltonetworks pan-os 10.2.4
paloaltonetworks pan-os 10.2.3
paloaltonetworks pan-os 10.2.2
paloaltonetworks pan-os 10.2.1
paloaltonetworks pan-os 10.2.0
paloaltonetworks pan-os 10.1.14
paloaltonetworks pan-os 10.1.13
paloaltonetworks pan-os 10.1.12
paloaltonetworks pan-os 10.1.11
paloaltonetworks pan-os 10.1.10
paloaltonetworks pan-os 10.1.9
paloaltonetworks pan-os 10.1.8
paloaltonetworks pan-os 10.1.7
paloaltonetworks pan-os 10.1.6
paloaltonetworks pan-os 10.1.5
paloaltonetworks pan-os 10.1.4
paloaltonetworks pan-os 10.1.3
paloaltonetworks pan-os 10.1.2
paloaltonetworks pan-os 10.1.1
paloaltonetworks pan-os 10.1.0
palo alto networks cloud ngfw
palo alto networks pan-os
palo alto networks prisma access

CWE-312 https://nvd.nist.gov https://www.first.org/epss https://security.paloaltonetworks.com/CVE-2025-0123

CVE-2025-0123

Vulnerability Summary

Solution

Vulnerability Trend

References

Vulmon Search

About

Products

Connect