CVE-2025-0138: CWE-613 Insufficient Session Expiration in Palo Alto Networks Prisma Cloud Compute Edition
Web sessions in the web interface of Palo Alto Networks Prisma® Cloud Compute Edition do not expire when users are deleted, which makes Prisma Cloud Compute Edition susceptible to unauthorized access. Compute in Prisma Cloud Enterprise Edition is not affected by this issue.
AI Analysis
Technical Summary
CVE-2025-0138 is a vulnerability identified in Palo Alto Networks Prisma Cloud Compute Edition version 1, classified under CWE-613 (Insufficient Session Expiration). The issue arises because web sessions in the Prisma Cloud Compute Edition web interface do not expire when users are deleted. This means that even after a user account is removed from the system, any active session tokens or cookies associated with that user remain valid and can be used to access the system without re-authentication. This behavior creates a window of opportunity for unauthorized access, as former users or attackers who have obtained session tokens can continue to interact with the system despite the user’s deletion. The vulnerability does not affect the Prisma Cloud Enterprise Edition Compute component, limiting the scope to the Compute Edition only. The CVSS 4.0 base score is 2.0, indicating a low severity level. The vector indicates that the attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring partial privileges (PR:L), and user interaction (UI:A). The vulnerability impacts confidentiality (V:D) and integrity (VI:L) to a limited extent but does not affect availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The root cause is insufficient session management, specifically the failure to invalidate sessions upon user deletion, which is a common security best practice to prevent unauthorized access from stale sessions.
Potential Impact
For European organizations using Prisma Cloud Compute Edition, this vulnerability could lead to unauthorized access to cloud compute management interfaces if user accounts are deleted but their sessions remain active. This could allow attackers or former employees to maintain access to sensitive cloud infrastructure management functions, potentially leading to data exposure or manipulation of cloud workloads. While the severity is rated low, the risk is heightened in environments with high user turnover or where session tokens are not otherwise tightly controlled. The impact on confidentiality and integrity, although limited, could be significant if attackers leverage this flaw to escalate privileges or move laterally within cloud environments. Given the increasing reliance on cloud-native security and compute management in Europe, especially in regulated sectors like finance, healthcare, and critical infrastructure, unauthorized access could have compliance and operational repercussions. However, the vulnerability requires partial privileges and user interaction, which somewhat limits exploitation likelihood.
Mitigation Recommendations
European organizations should implement immediate compensating controls while awaiting official patches. These include enforcing strict session timeout policies independent of user account status, manually invalidating all active sessions when deleting user accounts, and monitoring session activity for anomalies. Administrators should audit user deletions and ensure that session revocation mechanisms are in place, possibly through API calls or direct session store management. Additionally, organizations should restrict privileges to minimize the number of users with access to Prisma Cloud Compute Edition and enforce multi-factor authentication to reduce the risk of session hijacking. Network segmentation and monitoring of Prisma Cloud management traffic can help detect unauthorized access attempts. Finally, organizations should stay updated with Palo Alto Networks advisories for patches or updates addressing this issue and apply them promptly once available.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain
CVE-2025-0138: CWE-613 Insufficient Session Expiration in Palo Alto Networks Prisma Cloud Compute Edition
Description
Web sessions in the web interface of Palo Alto Networks Prisma® Cloud Compute Edition do not expire when users are deleted, which makes Prisma Cloud Compute Edition susceptible to unauthorized access. Compute in Prisma Cloud Enterprise Edition is not affected by this issue.
AI-Powered Analysis
Technical Analysis
CVE-2025-0138 is a vulnerability identified in Palo Alto Networks Prisma Cloud Compute Edition version 1, classified under CWE-613 (Insufficient Session Expiration). The issue arises because web sessions in the Prisma Cloud Compute Edition web interface do not expire when users are deleted. This means that even after a user account is removed from the system, any active session tokens or cookies associated with that user remain valid and can be used to access the system without re-authentication. This behavior creates a window of opportunity for unauthorized access, as former users or attackers who have obtained session tokens can continue to interact with the system despite the user’s deletion. The vulnerability does not affect the Prisma Cloud Enterprise Edition Compute component, limiting the scope to the Compute Edition only. The CVSS 4.0 base score is 2.0, indicating a low severity level. The vector indicates that the attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring partial privileges (PR:L), and user interaction (UI:A). The vulnerability impacts confidentiality (V:D) and integrity (VI:L) to a limited extent but does not affect availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The root cause is insufficient session management, specifically the failure to invalidate sessions upon user deletion, which is a common security best practice to prevent unauthorized access from stale sessions.
Potential Impact
For European organizations using Prisma Cloud Compute Edition, this vulnerability could lead to unauthorized access to cloud compute management interfaces if user accounts are deleted but their sessions remain active. This could allow attackers or former employees to maintain access to sensitive cloud infrastructure management functions, potentially leading to data exposure or manipulation of cloud workloads. While the severity is rated low, the risk is heightened in environments with high user turnover or where session tokens are not otherwise tightly controlled. The impact on confidentiality and integrity, although limited, could be significant if attackers leverage this flaw to escalate privileges or move laterally within cloud environments. Given the increasing reliance on cloud-native security and compute management in Europe, especially in regulated sectors like finance, healthcare, and critical infrastructure, unauthorized access could have compliance and operational repercussions. However, the vulnerability requires partial privileges and user interaction, which somewhat limits exploitation likelihood.
Mitigation Recommendations
European organizations should implement immediate compensating controls while awaiting official patches. These include enforcing strict session timeout policies independent of user account status, manually invalidating all active sessions when deleting user accounts, and monitoring session activity for anomalies. Administrators should audit user deletions and ensure that session revocation mechanisms are in place, possibly through API calls or direct session store management. Additionally, organizations should restrict privileges to minimize the number of users with access to Prisma Cloud Compute Edition and enforce multi-factor authentication to reduce the risk of session hijacking. Network segmentation and monitoring of Prisma Cloud management traffic can help detect unauthorized access attempts. Finally, organizations should stay updated with Palo Alto Networks advisories for patches or updates addressing this issue and apply them promptly once available.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- palo_alto
- Date Reserved
- 2024-12-20T23:24:41.254Z
- Cisa Enriched
- true
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 682cd0fb1484d88663aec884
Added to database: 5/20/2025, 6:59:07 PM
Last enriched: 7/6/2025, 1:39:56 PM
Last updated: 8/15/2025, 5:30:56 AM
Views: 18
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.