CVE-2025-4235 (GCVE-0-2025-4235)
Vulnerability from cvelistv5
Published
2025-09-12 17:16
Modified
2025-09-13 03:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Summary
An information exposure vulnerability in the Palo Alto Networks User-ID Credential Agent (Windows-based) can expose the service account password under specific non-default configurations. This allows an unprivileged Domain User to escalate privileges by exploiting the account’s permissions. The impact varies by configuration:
* Minimally Privileged Accounts: Enable disruption of User-ID Credential Agent operations (e.g., uninstalling or disabling the agent service), weakening network security policies that leverage Credential Phishing Prevention https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-features/credential-phishing-prevention under a Domain Credential Filter https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-features/credential-phishing-prevention/methods-to-check-for-corporate-credential-submissions configuration.
* Elevated Accounts (Server Operator, Domain Join, Legacy Features): Permit increased impacts, including server control (e.g., shutdown/restart), domain manipulation (e.g., rogue computer objects), and network compromise via reconnaissance or client probing.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Palo Alto Networks | User-ID Credential Agent |
Patch: 11.0.0 < 11.0.2-133 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4235",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-13T03:55:32.456Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "User-ID Credential Agent",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "11.0.2-133",
"status": "affected"
},
{
"at": "11.0.3",
"status": "unaffected"
}
],
"lessThan": "11.0.2-133",
"status": "unaffected",
"version": "11.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Palo Alto Networks thanks an external reporter for discovering and reporting this issue."
}
],
"datePublic": "2025-09-10T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An information exposure vulnerability in the Palo Alto Networks User-ID Credential Agent (Windows-based) can expose the service account password under specific non-default configurations. This allows an unprivileged Domain User to escalate privileges by exploiting the account\u2019s permissions. The impact varies by configuration:\u003cbr\u003e\u003cul\u003e\u003cli\u003eMinimally Privileged Accounts: Enable disruption of User-ID Credential Agent operations (e.g., uninstalling or disabling the agent service), weakening network security policies that leverage \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-features/credential-phishing-prevention\"\u003eCredential Phishing Prevention\u003c/a\u003e under a \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-features/credential-phishing-prevention/methods-to-check-for-corporate-credential-submissions\"\u003eDomain Credential Filter\u003c/a\u003e configuration.\u003c/li\u003e\u003cli\u003eElevated Accounts (Server Operator, Domain Join, Legacy Features): Permit increased impacts, including server control (e.g., shutdown/restart), domain manipulation (e.g., rogue computer objects), and network compromise via reconnaissance or client probing.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "An information exposure vulnerability in the Palo Alto Networks User-ID Credential Agent (Windows-based) can expose the service account password under specific non-default configurations. This allows an unprivileged Domain User to escalate privileges by exploiting the account\u2019s permissions. The impact varies by configuration:\n * Minimally Privileged Accounts: Enable disruption of User-ID Credential Agent operations (e.g., uninstalling or disabling the agent service), weakening network security policies that leverage Credential Phishing Prevention https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-features/credential-phishing-prevention under a Domain Credential Filter https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-features/credential-phishing-prevention/methods-to-check-for-corporate-credential-submissions configuration.\n * Elevated Accounts (Server Operator, Domain Join, Legacy Features): Permit increased impacts, including server control (e.g., shutdown/restart), domain manipulation (e.g., rogue computer objects), and network compromise via reconnaissance or client probing."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37: Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/AU:N/R:U/V:D/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "Elevated Service Accounts"
}
]
},
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/AU:N/R:U/V:D/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "Minimally Privileged Service Account"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-12T17:16:53.868Z",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.paloaltonetworks.com/CVE-2025-4235"
}
],
"solutions": [
{
"lang": "eng",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ctable class=\"tbl\"\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003cbr\u003e\u003c/th\u003e\u003cth\u003eMinor Version\u003cbr\u003e\u003c/th\u003e\u003cth\u003eSuggested Solution\u003cbr\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eUser-ID Credential Agent 11.0 on Windows\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e11.0.2-133\u003c/td\u003e\u003ctd\u003eUpgrade to 11.0.3 or later\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e11.0.0 through 11.0.1-104\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e"
}
],
"value": "Version\nMinor Version\nSuggested Solution\nUser-ID Credential Agent 11.0 on Windows\n11.0.2-133Upgrade to 11.0.3 or later\u00a011.0.0 through 11.0.1-104No action needed."
}
],
"source": {
"defect": [
"WINAGENT-1130"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2025-09-10T16:00:00.000Z",
"value": "Initial Publication"
}
],
"title": "User-ID Credential Agent: Cleartext Exposure of Service Account password",
"workarounds": [
{
"lang": "eng",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cul\u003e\u003cli\u003eBy default, Domain Users cannot log in to Domain Controllers. However, this can be changed through Group Policy. To reduce privilege escalation risks, review the \"Allow log on locally\" setting in the Default Domain Controllers Policy and remove any Domain Users listed there. Windows Server 2019 and 2022 path:\u003cul\u003e\u003cli\u003eGroup Policy Management \u0026gt; Domain Controllers \u0026gt; Select GPO (Edit) \u0026gt; Computer Configuration \u0026gt; Policies \u0026gt; Windows Settings \u0026gt; Security Settings \u0026gt; Local Policies \u0026gt; User Rights Assignment \u0026gt; \"Allow log on locally\".\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eRefer to the \"\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/create-a-dedicated-service-account-for-the-user-id-agent\"\u003eCreate a Dedicated Service Account for the User-ID Agent\u003c/a\u003e\" and \"\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-features/credential-phishing-prevention/configure-credential-detection-with-the-windows-based-user-id-agent\"\u003eConfigure Credential Detection with the Windows User-ID Agent\u003c/a\u003e\" guidelines to ensure service accounts are configured with appropriate permissions and restrictions.\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "* By default, Domain Users cannot log in to Domain Controllers. However, this can be changed through Group Policy. To reduce privilege escalation risks, review the \"Allow log on locally\" setting in the Default Domain Controllers Policy and remove any Domain Users listed there. Windows Server 2019 and 2022 path: * Group Policy Management \u003e Domain Controllers \u003e Select GPO (Edit) \u003e Computer Configuration \u003e Policies \u003e Windows Settings \u003e Security Settings \u003e Local Policies \u003e User Rights Assignment \u003e \"Allow log on locally\".\n\n\n\n\n * Refer to the \" Create a Dedicated Service Account for the User-ID Agent https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/create-a-dedicated-service-account-for-the-user-id-agent \" and \" Configure Credential Detection with the Windows User-ID Agent https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-features/credential-phishing-prevention/configure-credential-detection-with-the-windows-based-user-id-agent \" guidelines to ensure service accounts are configured with appropriate permissions and restrictions."
}
],
"x_affectedList": [
"User-ID Credential Agent 11.0.2"
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2025-4235",
"datePublished": "2025-09-12T17:16:53.868Z",
"dateReserved": "2025-05-02T19:10:50.812Z",
"dateUpdated": "2025-09-13T03:55:32.456Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-4235\",\"sourceIdentifier\":\"psirt@paloaltonetworks.com\",\"published\":\"2025-09-12T18:15:34.373\",\"lastModified\":\"2025-09-15T15:21:42.937\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An information exposure vulnerability in the Palo Alto Networks User-ID Credential Agent (Windows-based) can expose the service account password under specific non-default configurations. This allows an unprivileged Domain User to escalate privileges by exploiting the account\u2019s permissions. The impact varies by configuration:\\n * Minimally Privileged Accounts: Enable disruption of User-ID Credential Agent operations (e.g., uninstalling or disabling the agent service), weakening network security policies that leverage Credential Phishing Prevention https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-features/credential-phishing-prevention under a Domain Credential Filter https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-features/credential-phishing-prevention/methods-to-check-for-corporate-credential-submissions configuration.\\n * Elevated Accounts (Server Operator, Domain Join, Legacy Features): Permit increased impacts, including server control (e.g., shutdown/restart), domain manipulation (e.g., rogue computer objects), and network compromise via reconnaissance or client probing.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"psirt@paloaltonetworks.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NO\",\"Recovery\":\"USER\",\"valueDensity\":\"DIFFUSE\",\"vulnerabilityResponseEffort\":\"MODERATE\",\"providerUrgency\":\"AMBER\"}}]},\"weaknesses\":[{\"source\":\"psirt@paloaltonetworks.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-497\"}]}],\"references\":[{\"url\":\"https://security.paloaltonetworks.com/CVE-2025-4235\",\"source\":\"psirt@paloaltonetworks.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-4235\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-12T17:29:55.427201Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-12T17:30:00.951Z\"}}], \"cna\": {\"title\": \"User-ID Credential Agent: Cleartext Exposure of Service Account password\", \"source\": {\"defect\": [\"WINAGENT-1130\"], \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Palo Alto Networks thanks an external reporter for discovering and reporting this issue.\"}], \"impacts\": [{\"capecId\": \"CAPEC-37\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-37: Retrieve Embedded Sensitive Data\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"USER\", \"baseScore\": 7.2, \"Automatable\": \"NO\", \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"DIFFUSE\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/AU:N/R:U/V:D/RE:M/U:Amber\", \"providerUrgency\": \"AMBER\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"MODERATE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"Elevated Service Accounts\"}]}, {\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"USER\", \"baseScore\": 5.8, \"Automatable\": \"NO\", \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"DIFFUSE\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/AU:N/R:U/V:D/RE:M/U:Amber\", \"providerUrgency\": \"AMBER\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"MODERATE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"Minimally Privileged Service Account\"}]}], \"affected\": [{\"vendor\": \"Palo Alto Networks\", \"product\": \"User-ID Credential Agent\", \"versions\": [{\"status\": \"unaffected\", \"changes\": [{\"at\": \"11.0.2-133\", \"status\": \"affected\"}, {\"at\": \"11.0.3\", \"status\": \"unaffected\"}], \"version\": \"11.0.0\", \"lessThan\": \"11.0.2-133\", \"versionType\": \"custom\"}], \"platforms\": [\"Windows\"], \"defaultStatus\": \"unaffected\"}], \"exploits\": [{\"lang\": \"en\", \"value\": \"Palo Alto Networks is not aware of any malicious exploitation of this issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Palo Alto Networks is not aware of any malicious exploitation of this issue.\", \"base64\": false}]}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-09-10T16:00:00.000Z\", \"value\": \"Initial Publication\"}], \"solutions\": [{\"lang\": \"eng\", \"value\": \"Version\\nMinor Version\\nSuggested Solution\\nUser-ID Credential Agent 11.0 on Windows\\n11.0.2-133Upgrade to 11.0.3 or later\\u00a011.0.0 through 11.0.1-104No action needed.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003ctable class=\\\"tbl\\\"\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003cbr\u003e\u003c/th\u003e\u003cth\u003eMinor Version\u003cbr\u003e\u003c/th\u003e\u003cth\u003eSuggested Solution\u003cbr\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eUser-ID Credential Agent 11.0 on Windows\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e11.0.2-133\u003c/td\u003e\u003ctd\u003eUpgrade to 11.0.3 or later\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u0026nbsp;\u003c/td\u003e\u003ctd\u003e11.0.0 through 11.0.1-104\u003c/td\u003e\u003ctd\u003eNo action needed.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\", \"base64\": false}]}], \"datePublic\": \"2025-09-10T16:00:00.000Z\", \"references\": [{\"url\": \"https://security.paloaltonetworks.com/CVE-2025-4235\", \"tags\": [\"vendor-advisory\"]}], \"workarounds\": [{\"lang\": \"eng\", \"value\": \"* By default, Domain Users cannot log in to Domain Controllers. However, this can be changed through Group Policy. To reduce privilege escalation risks, review the \\\"Allow log on locally\\\" setting in the Default Domain Controllers Policy and remove any Domain Users listed there. Windows Server 2019 and 2022 path: * Group Policy Management \u003e Domain Controllers \u003e Select GPO (Edit) \u003e Computer Configuration \u003e Policies \u003e Windows Settings \u003e Security Settings \u003e Local Policies \u003e User Rights Assignment \u003e \\\"Allow log on locally\\\".\\n\\n\\n\\n\\n * Refer to the \\\" Create a Dedicated Service Account for the User-ID Agent https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/create-a-dedicated-service-account-for-the-user-id-agent \\\" and \\\" Configure Credential Detection with the Windows User-ID Agent https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-features/credential-phishing-prevention/configure-credential-detection-with-the-windows-based-user-id-agent \\\" guidelines to ensure service accounts are configured with appropriate permissions and restrictions.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cul\u003e\u003cli\u003eBy default, Domain Users cannot log in to Domain Controllers. However, this can be changed through Group Policy. To reduce privilege escalation risks, review the \\\"Allow log on locally\\\" setting in the Default Domain Controllers Policy and remove any Domain Users listed there. Windows Server 2019 and 2022 path:\u003cul\u003e\u003cli\u003eGroup Policy Management \u0026gt; Domain Controllers \u0026gt; Select GPO (Edit) \u0026gt; Computer Configuration \u0026gt; Policies \u0026gt; Windows Settings \u0026gt; Security Settings \u0026gt; Local Policies \u0026gt; User Rights Assignment \u0026gt; \\\"Allow log on locally\\\".\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eRefer to the \\\"\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/create-a-dedicated-service-account-for-the-user-id-agent\\\"\u003eCreate a Dedicated Service Account for the User-ID Agent\u003c/a\u003e\\\" and \\\"\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-features/credential-phishing-prevention/configure-credential-detection-with-the-windows-based-user-id-agent\\\"\u003eConfigure Credential Detection with the Windows User-ID Agent\u003c/a\u003e\\\" guidelines to ensure service accounts are configured with appropriate permissions and restrictions.\u003c/li\u003e\u003c/ul\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An information exposure vulnerability in the Palo Alto Networks User-ID Credential Agent (Windows-based) can expose the service account password under specific non-default configurations. This allows an unprivileged Domain User to escalate privileges by exploiting the account\\u2019s permissions. The impact varies by configuration:\\n * Minimally Privileged Accounts: Enable disruption of User-ID Credential Agent operations (e.g., uninstalling or disabling the agent service), weakening network security policies that leverage Credential Phishing Prevention https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-features/credential-phishing-prevention under a Domain Credential Filter https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-features/credential-phishing-prevention/methods-to-check-for-corporate-credential-submissions configuration.\\n * Elevated Accounts (Server Operator, Domain Join, Legacy Features): Permit increased impacts, including server control (e.g., shutdown/restart), domain manipulation (e.g., rogue computer objects), and network compromise via reconnaissance or client probing.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An information exposure vulnerability in the Palo Alto Networks User-ID Credential Agent (Windows-based) can expose the service account password under specific non-default configurations. This allows an unprivileged Domain User to escalate privileges by exploiting the account\\u2019s permissions. The impact varies by configuration:\u003cbr\u003e\u003cul\u003e\u003cli\u003eMinimally Privileged Accounts: Enable disruption of User-ID Credential Agent operations (e.g., uninstalling or disabling the agent service), weakening network security policies that leverage \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-features/credential-phishing-prevention\\\"\u003eCredential Phishing Prevention\u003c/a\u003e under a \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-features/credential-phishing-prevention/methods-to-check-for-corporate-credential-submissions\\\"\u003eDomain Credential Filter\u003c/a\u003e configuration.\u003c/li\u003e\u003cli\u003eElevated Accounts (Server Operator, Domain Join, Legacy Features): Permit increased impacts, including server control (e.g., shutdown/restart), domain manipulation (e.g., rogue computer objects), and network compromise via reconnaissance or client probing.\u0026nbsp;\u003c/li\u003e\u003c/ul\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-497\", \"description\": \"CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere\"}]}], \"x_affectedList\": [\"User-ID Credential Agent 11.0.2\"], \"providerMetadata\": {\"orgId\": \"d6c1279f-00f6-4ef7-9217-f89ffe703ec0\", \"shortName\": \"palo_alto\", \"dateUpdated\": \"2025-09-12T17:16:53.868Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-4235\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-09-13T03:55:32.456Z\", \"dateReserved\": \"2025-05-02T19:10:50.812Z\", \"assignerOrgId\": \"d6c1279f-00f6-4ef7-9217-f89ffe703ec0\", \"datePublished\": \"2025-09-12T17:16:53.868Z\", \"assignerShortName\": \"palo_alto\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…