CVE-2025-0126 Palo Alto Networks CVE debrief

Who should care

Organizations operating Siemens RUGGEDCOM APE1808 with GlobalProtect remote access; OT security teams managing industrial VPN gateways; identity and access management administrators responsible for SAML federated authentication

Technical summary

The vulnerability exists in GlobalProtect™ when configured with SAML authentication. An attacker can fixate a session ID, then trick a legitimate user into authenticating through a malicious link. Once authenticated, the attacker possesses a valid session and can impersonate the user to perform unauthorized actions. The attack requires user interaction (clicking a malicious link) but needs no privileges and has low attack complexity. CVSS vector indicates network attack vector, scope change, high confidentiality impact, low integrity impact, and high availability impact.

Defensive priority

CRITICAL

Recommended defensive actions

• Upgrade Palo Alto Networks Virtual NGFW to version 11.1.8 by contacting customer support for patch and update information
• Review SAML authentication configurations on affected RUGGEDCOM APE1808 deployments
• Implement user awareness training to reduce likelihood of malicious link engagement
• Apply defense-in-depth controls per CISA ICS recommended practices
• Monitor for anomalous GlobalProtect session activity indicating potential impersonation attempts

Evidence notes

CVE published 2024-11-22 per CISA ICS advisory ICSA-24-338-02. Advisory modified 2025-06-10 to add additional CVEs. Vendor fix requires upgrading to Palo Alto Networks Virtual NGFW V11.1.8.

Official resources