CVE-2025-0126 Overview
CVE-2025-0126 is a session fixation vulnerability [CWE-384] affecting Palo Alto Networks GlobalProtect™ when configured to use Security Assertion Markup Language (SAML) authentication. An attacker can fixate a SAML session and impersonate a legitimate authorized user once that user clicks a malicious link supplied by the attacker. The attacker then performs actions on the GlobalProtect portal or gateway as the impersonated user. The SAML login flow for the PAN-OS® management interface is not affected. Cloud NGFW is also unaffected, and Palo Alto Networks has proactively patched all Prisma® Access instances.
Critical Impact
Successful exploitation allows an attacker to assume a legitimate GlobalProtect user's session and act on their behalf through the VPN portal, with user interaction required.
Affected Products
- Palo Alto Networks GlobalProtect™ configured with SAML authentication
- PAN-OS GlobalProtect portal and gateway components using SAML
- Prisma® Access (proactively patched by the vendor)
Discovery Timeline
- 2025-04-11 - CVE-2025-0126 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-0126
Vulnerability Analysis
The flaw is a session fixation issue in the GlobalProtect SAML login workflow. In a session fixation attack, the application accepts a session identifier supplied or influenced by the attacker rather than rotating to a fresh identifier after successful authentication. When the legitimate user authenticates through the SAML identity provider, the attacker-controlled session identifier becomes bound to that authenticated user. The attacker then uses the same identifier to access GlobalProtect as the victim.
The vulnerability requires user interaction. The victim must click a crafted link from the attacker that pre-seeds the session context. The PAN-OS management interface SAML login does not share the affected flow and remains unaffected. Cloud NGFW does not expose the affected component, and Prisma Access tenants were patched by Palo Alto Networks.
Root Cause
The root cause is the failure of the GlobalProtect SAML login to invalidate and regenerate the session identifier after successful authentication. The pre-authentication session token persists into the authenticated context, violating the secure session lifecycle expected for federated authentication.
Attack Vector
The attack is network-based and requires user interaction. The attacker crafts a malicious URL that initiates a GlobalProtect SAML login with an attacker-known session identifier. The victim clicks the link and completes SAML authentication with the legitimate identity provider. The attacker then replays the fixated session identifier to act as the authenticated GlobalProtect user. Technical details are described in the Palo Alto Networks security advisory for CVE-2025-0126.
Detection Methods for CVE-2025-0126
Indicators of Compromise
- GlobalProtect portal or gateway authentication events where the same SAML session identifier appears from two distinct source IP addresses within a short window.
- Successful GlobalProtect logins immediately preceded by unusual referrer URLs or externally supplied session parameters.
- VPN sessions originating from geographies or autonomous systems that do not match the user's historical access patterns.
Detection Strategies
- Correlate SAML assertion consumer URL hits with the source IP of the subsequent authenticated GlobalProtect session and alert on mismatches.
- Inspect web proxy and email security logs for outbound clicks on URLs containing GlobalProtect SAML request parameters from untrusted senders.
- Hunt for repeated use of the same session cookie or token across different client fingerprints in PAN-OS authentication logs.
Monitoring Recommendations
- Forward PAN-OS GlobalProtect authentication and SAML logs to a centralized analytics platform and retain them for at least 90 days.
- Monitor identity provider logs for SAML authentication requests with unusual RelayState values or unexpected client IPs.
- Alert on concurrent GlobalProtect sessions for the same user from geographically distant locations.
How to Mitigate CVE-2025-0126
Immediate Actions Required
- Apply the fixed PAN-OS versions listed in the Palo Alto Networks advisory to all GlobalProtect portals and gateways using SAML authentication.
- Verify Prisma Access tenants are on the patched release, even though Palo Alto Networks has proactively updated them.
- Force re-authentication of active GlobalProtect SAML sessions after patching to invalidate any fixated tokens.
- Educate users to avoid clicking GlobalProtect or VPN login links received from untrusted sources.
Patch Information
Palo Alto Networks has released fixed PAN-OS builds that address the session fixation defect in the GlobalProtect SAML login. Refer to the Palo Alto Networks advisory for CVE-2025-0126 for the exact fixed versions and upgrade guidance. Cloud NGFW is not affected, and Prisma Access has been patched by the vendor.
Workarounds
- Where immediate patching is not possible, switch GlobalProtect authentication from SAML to a non-affected method such as local database or LDAP with multi-factor authentication.
- Restrict GlobalProtect portal access to known source networks while remediation is in progress.
- Shorten GlobalProtect session lifetimes and enable strict cookie attributes at any fronting reverse proxy to reduce the window for session reuse.
# Configuration example: see vendor advisory for exact fixed PAN-OS versions
# https://security.paloaltonetworks.com/CVE-2025-0126
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
