Using the AES-128-CCM algorithm for IPSec on certain Palo Alto Networks PAN-OS® firewalls (PA-7500, PA-5400, PA-5400f, PA-3400, PA-1600, PA-1400, and PA-400 Series) leads to unencrypted data transfer to devices that are connected to the PAN-OS firewall through IPSec. This issue does not affect Cloud NGFWs, Prisma® Access instances, or PAN-OS VM-Series firewalls. NOTE: The AES-128-CCM encryption algorithm is not recommended for use.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Vendors Products
Paloaltonetworks
  • Pan-os

No data.

No data.

References
Link Providers
https://security.paloaltonetworks.com/CVE-2025-0136 cve-icon cve-icon
History

Wed, 14 May 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 May 2025 18:30:00 +0000

Type Values Removed Values Added
Description Using the AES-128-CCM algorithm for IPSec on certain Palo Alto Networks PAN-OS® firewalls (PA-7500, PA-5400, PA-5400f, PA-3400, PA-1600, PA-1400, and PA-400 Series) leads to unencrypted data transfer to devices that are connected to the PAN-OS firewall through IPSec. This issue does not affect Cloud NGFWs, Prisma® Access instances, or PAN-OS VM-Series firewalls. NOTE: The AES-128-CCM encryption algorithm is not recommended for use.
Title PAN-OS: Unencrypted Data Transfer when using AES-128-CCM on Intel-based hardware devices
First Time appeared Paloaltonetworks
Paloaltonetworks pan-os
Weaknesses CWE-319
CPEs cpe:2.3:o:paloaltonetworks:pan-os:10.1.0:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.12:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.13:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h10:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h11:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h13:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h2:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h3:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h4:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h5:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h6:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h7:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h8:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.14:h9:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.1:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.2:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.5:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.6:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:*:*:*:*:*:*:*
Vendors & Products Paloaltonetworks
Paloaltonetworks pan-os
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber'}
cve-icon MITRE

Status: PUBLISHED

Assigner: palo_alto

Published: 2025-05-14T18:12:14.153Z

Updated: 2025-05-14T19:43:47.169Z

Reserved: 2024-12-20T23:24:32.158Z

Link: CVE-2025-0136

cve-icon Vulnrichment

Updated: 2025-05-14T19:43:43.104Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-05-14T19:15:51.973

Modified: 2025-05-16T14:43:56.797

Link: CVE-2025-0136

cve-icon Redhat

No data.