[Palo Alto Networks Security Advisories] CVE-2025-0116 PAN-OS: Firewall Denial of Service (DoS) Using a Specially CraftedLLDP Frame
Palo Alto Networks Security Advisories /CVE-2025-0116
CVE-2025-0116 PAN-OS: Firewall Denial of Service (DoS) Using a Specially Crafted LLDP Frame
Description
A Denial of Service (DoS) vulnerability in Palo Alto Networks PAN-OS software causes the firewall to unexpectedly reboot when processing a specially crafted LLDP frame sent by an unauthenticated adjacent attacker. Repeated attempts to initiate this condition causes the firewall to enter maintenance mode.
This issue does not apply to Cloud NGFWs or Prisma Access software.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 11.2 | < 11.2.5 | >= 11.2.5 |
| PAN-OS 11.1 | < 11.1.8 | >= 11.1.8 (ETA: 3/13/2025) |
| PAN-OS 10.2 | < 10.2.13-h5 < 10.2.14 | >= 10.2.13-h5 >= 10.2.14 (ETA: 4/3/2025) |
| PAN-OS 10.1 | < 10.1.14-h11 | >= 10.1.14-h11 |
| Prisma Access | None | All |
Please note that PAN-OS 11.0, PAN-OS 10.0, PAN-OS 9.1, PAN-OS 9.0, and older releases have reached their software end-of-life (EoL) dates and are no longer evaluated for vulnerabilities and no fixes are planned. These versions are presumed to be affected.
Required Configuration for Exposure
You must have enabled LLDP in your PAN-OS software to be vulnerable to this issue. You can verify whether you have LLDP enabled by following these steps in your web interface:
- Select Network > LLDP.
- In the LLDP General settings, verify whether LLDP is enabled (checked).
Severity:MEDIUM, Suggested Urgency:MODERATE
CVSS-BT:4.3 /CVSS-B:6.8 (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:C/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-754 Improper Check for Unusual or Exceptional Conditions
CAPEC-153 Input Data Manipulation
Solution
| Version | Minor Version | Suggested Solution |
|---|---|---|
| PAN-OS 11.2 | 11.2.0 through 11.2.4 | Upgrade to 11.2.5 or later |
| PAN-OS 11.1 | 11.1.7 | Upgrade to 11.1.8 or later |
| 11.1.3 through 11.1.6 | Upgrade to 11.1.6-h1 or 11.1.8 or later | |
| 11.1.0 through 11.1.2 | Upgrade to 11.1.2-h18 or 11.1.8 or later | |
| PAN-OS 11.0 (EoL) | Upgrade to a supported fixed version | |
| PAN-OS 10.2 | 10.2.13 | Upgrade to 10.2.13-h5 or 10.2.14 or later |
| 10.2.0 through 10.2.13 | Upgrade to 10.2.14 or later | |
| PAN-OS 10.1 | 10.1.0 through 10.1.14 | Upgrade to 10.1.14-h11 or later |
| All other older unsupported PAN-OS versions | Upgrade to a supported fixed version. |
Workarounds and Mitigations
If you are not using LLDP, you should disable it to mitigate this issue by performing the following steps in your web interface:
- Select Network > LLDP.
- Open LLDP General settings.
- Disable (uncheck) LLDP.
Acknowledgments
CPEs
cpe:2.3:o:paloaltonetworks:pan-os:11.2.4:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.3:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.6:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.5:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*
Timeline
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
