ByteOS Network

Vulnerability Details :

CVE-2025-2182

Assigner Org ID-d6c1279f-00f6-4ef7-9217-f89ffe703ec0

Published At-13 Aug, 2025 | 17:03

Updated At-13 Aug, 2025 | 20:32

PAN-OS: Firewall Clusters using the MACsec Protocol Expose the Connectivity Association Key (CAK)

A problem with the implementation of the MACsec protocol in Palo Alto Networks PAN-OS® results in the cleartext exposure of the connectivity association key (CAK). This issue is only applicable to PA-7500 Series devices which are in an NGFW cluster. A user who possesses this key can read messages being sent between devices in a NGFW Cluster. There is no impact in non-clustered firewalls or clusters of firewalls that do not enable MACsec.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:palo_alto

Assigner Org ID:d6c1279f-00f6-4ef7-9217-f89ffe703ec0

Published At:13 Aug, 2025 | 17:03

Updated At:13 Aug, 2025 | 20:32

▼CVE Numbering Authority (CNA)

PAN-OS: Firewall Clusters using the MACsec Protocol Expose the Connectivity Association Key (CAK)

Affected Products

Vendor

Palo Alto Networks, Inc.

Product

Cloud NGFW

Default Status

unaffected

Versions

Unaffected

From All before 3.2.449 (custom)
- -> unaffectedfrom3.2.449

Vendor

Palo Alto Networks, Inc.

Product

PAN-OS

CPEs

cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.6:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.5:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.2:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.1:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.0:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.1.9:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.1.8:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.1.6:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.1.5:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.1.4:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.1.3:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.1.2:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.1.1:*:*:*:*:*:PA-7500:*
cpe:2.3:o:palo_alto_networks:pan-os:11.1.0:*:*:*:*:*:PA-7500:*

Modules

Clusters

Platforms

PA-7500

Default Status

unaffected

Versions

Affected

From 11.2.0 before 11.2.8 (custom)
- -> unaffectedfrom11.2.8
From 11.1.0 before 11.1.10 (custom)
- -> unaffectedfrom11.1.10

Unaffected

10.2.0 (custom)
10.1.0 (custom)

Vendor

Palo Alto Networks, Inc.

Product

PAN-OS

Platforms

devices other than PA-7500

Default Status

unaffected

Versions

Unaffected

All (custom)

Vendor

Palo Alto Networks, Inc.

Product

Prisma Access

Default Status

unaffected

Versions

Unaffected

All (custom)

Problem Types

Type	CWE ID	Description
CWE	CWE-312	CWE-312 Cleartext Storage of Sensitive Information

Type: CWE

CWE ID: CWE-312

Description: CWE-312 Cleartext Storage of Sensitive Information

Metrics

Version	Base score	Base severity	Vector
4.0	5.6	MEDIUM	CVSS:4.0/AV:P/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/AU:N/R:A/V:D/RE:M/U:Amber

Version: 4.0

Base score: 5.6

Base severity: MEDIUM

Vector:

CVSS:4.0/AV:P/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/AU:N/R:A/V:D/RE:M/U:Amber

Impacts

CAPEC ID	Description
CAPEC-158	CAPEC-158 Sniffing Network Traffic

CAPEC ID: CAPEC-158

Description: CAPEC-158 Sniffing Network Traffic

Solutions

Version Minor Version Suggested Solution Cloud NGFW No action needed. PAN-OS 11.2 on PA-7500 11.2.0 through 11.2.7 Upgrade to 11.2.8 or later. PAN-OS 11.1 on PA-7500 11.1.0 through 11.1.9 Upgrade to 11.1.10 or later. PAN-OS 10.2 on PA-7500 No action needed.PAN-OS 10.1 on PA-7500 No action needed.PAN-OS on devices other than PA-7500 No action needed.All older unsupported PAN-OS versions Upgrade to a supported fixed version.Prisma Access No action needed.

Configurations

The following conditions must be true to be vulnerable to this issue: * Your PA-7500 Series devices must be in an NGFW cluster. For more information regarding NGFW Clusters see our documentation https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/ngfw-clustering/ngfw-clusters . * A MACsec policy must be configured and enabled for the NGFW cluster. For more information about MACsec profiles please see our documentation https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-web-interface-help/network/network-network-profiles/network-network-profiles-macsec-profile .

Workarounds

No known workarounds exist for this issue.

Exploits

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Credits

finder

This issue was found during an internal security review.

Timeline

Event	Date
Initial Publication	2025-08-13 16:00:00

Event: Initial Publication

Date: 2025-08-13 16:00:00

References

Hyperlink	Resource
https://security.paloaltonetworks.com/CVE-2025-2182	vendor-advisory

Hyperlink: https://security.paloaltonetworks.com/CVE-2025-2182

Resource:

vendor-advisory

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Metrics Other Info

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:psirt@paloaltonetworks.com

Published At:13 Aug, 2025 | 17:15

Updated At:13 Aug, 2025 | 17:33

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	5.6	MEDIUM	CVSS:4.0/AV:P/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:Amber

Type: Secondary

Version: 4.0

Base score: 5.6

Base severity: MEDIUM

Vector:

CVSS:4.0/AV:P/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:Amber

Weaknesses

CWE ID	Type	Source
CWE-312	Secondary	psirt@paloaltonetworks.com

CWE ID: CWE-312

Type: Secondary

Source: psirt@paloaltonetworks.com

References

Hyperlink	Source	Resource
https://security.paloaltonetworks.com/CVE-2025-2182	psirt@paloaltonetworks.com	N/A

Hyperlink: https://security.paloaltonetworks.com/CVE-2025-2182

Source: psirt@paloaltonetworks.com

Resource: N/A

CVE-2025-2182

Credits

PAN-OS: Firewall Clusters using the MACsec Protocol Expose the Connectivity Association Key (CAK)

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Unaffected

Affected

Unaffected

Unaffected

Unaffected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs