EXECUTIVE SUMMARY:
Palo Alto Networks PAN-OS contains a denial-of-service vulnerability CVE-2025-4619, CVSS 6.6 that allows an unauthenticated attacker to remotely force a firewall to reboot by sending a single specially crafted packet through the dataplane; repeated attempts can push affected devices into maintenance mode, disrupting traffic and security enforcement. The flaw only applies to appliances configured with URL proxy or any decrypt-policy, and affects PAN-OS versions 11.2.0 → 11.2.4, 11.1.0 → 11.1.6, and 10.2.0 → 10.2.13 (Cloud NGFW and PAN-OS 12.1 are not affected).
RECOMMENDATION:
We strongly recommend you update PAN-OS to versions 11.2.5, 11.1.7, or 10.2.14.
REFERENCES:
The following reports contain further technical details: