vulnerability
Palo Alto Networks PAN-OS: CVE-2025-2182: PAN-OS: Firewall Clusters using the MACsec Protocol Expose the Connectivity Association Key (CAK)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:L/AC:M/Au:M/C:C/I:N/A:N) | Aug 13, 2025 | Aug 14, 2025 | Jan 19, 2026 |
Severity
4
CVSS
(AV:L/AC:M/Au:M/C:C/I:N/A:N)
Published
Aug 13, 2025
Added
Aug 14, 2025
Modified
Jan 19, 2026
Description
A problem with the implementation of the MACsec protocol in Palo Alto Networks PAN-OS® results in the cleartext exposure of the connectivity association key (CAK). This issue is only applicable to PA-7500 Series devices which are in an NGFW cluster.
A user who possesses this key can read messages being sent between devices in a NGFW Cluster. There is no impact in non-clustered firewalls or clusters of firewalls that do not enable MACsec.
A user who possesses this key can read messages being sent between devices in a NGFW Cluster. There is no impact in non-clustered firewalls or clusters of firewalls that do not enable MACsec.
Solution
palo-alto-networks-pan-os-upgrade-latest
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.