CVE-2025-0136

CVE-2025-0136 is a medium-severity vulnerability with a CVSS 4.0 base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-319.

Key facts

Description

Using the AES-128-CCM algorithm for IPSec on certain Palo Alto Networks PAN-OS® firewalls (PA-7500, PA-5400, PA-5400f, PA-3400, PA-1600, PA-1400, and PA-400 Series) leads to unencrypted data transfer to devices that are connected to the PAN-OS firewall through IPSec. This issue does not affect Cloud NGFWs, Prisma® Access instances, or PAN-OS VM-Series firewalls. NOTE: The AES-128-CCM encryption algorithm is not recommended for use.

Frequently asked questions

What is CVE-2025-0136?
Using the AES-128-CCM algorithm for IPSec on certain Palo Alto Networks PAN-OS® firewalls (PA-7500, PA-5400, PA-5400f, PA-3400, PA-1600, PA-1400, and PA-400 Series) leads to unencrypted data transfer to devices that are connected to the PAN-OS firewall through IPSec. This issue does not affect Cloud NGFWs, Prisma® Access instances, or PAN-OS VM-Series firewalls. NOTE: The AES-128-CCM encryption algorithm is not recommended for use.
How severe is CVE-2025-0136?
CVE-2025-0136 has a CVSS 4.0 base score of 5.3, rated medium severity.
Is CVE-2025-0136 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (3rd percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2025-0136?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2025-0136 have an EU (EUVD) identifier?
Yes. CVE-2025-0136 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-14904.
When was CVE-2025-0136 published?
CVE-2025-0136 was published on 2025-05-14 and last updated on 2026-06-17.

References

Other CWE-319 (Cleartext Transmission of Sensitive Information) vulnerabilities

Browse all CWE-319 (Cleartext Transmission of Sensitive Information) vulnerabilities →