CVE-2025-0138 is a vulnerability identified in Palo Alto Networks Prisma Cloud Compute Edition version 1, classified under CWE-613 (Insufficient Session Expiration). The issue arises because web sessions in the Prisma Cloud Compute Edition web interface do not expire when users are deleted. This means that even after a user account is removed from the system, any active session tokens or cookies associated with that user remain valid and can be used to access the system without re-authentication. This behavior creates a window of opportunity for unauthorized access, as former users or attackers who have obtained session tokens can continue to interact with the system despite the user’s deletion. The vulnerability does not affect the Prisma Cloud Enterprise Edition Compute component, limiting the scope to the Compute Edition only. The CVSS 4.0 base score is 2.0, indicating a low severity level. The vector indicates that the attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring partial privileges (PR:L), and user interaction (UI:A). The vulnerability impacts confidentiality (V:D) and integrity (VI:L) to a limited extent but does not affect availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The root cause is insufficient session management, specifically the failure to invalidate sessions upon user deletion, which is a common security best practice to prevent unauthorized access from stale sessions.

For European organizations using Prisma Cloud Compute Edition, this vulnerability could lead to unauthorized access to cloud compute management interfaces if user accounts are deleted but their sessions remain active. This could allow attackers or former employees to maintain access to sensitive cloud infrastructure management functions, potentially leading to data exposure or manipulation of cloud workloads. While the severity is rated low, the risk is heightened in environments with high user turnover or where session tokens are not otherwise tightly controlled. The impact on confidentiality and integrity, although limited, could be significant if attackers leverage this flaw to escalate privileges or move laterally within cloud environments. Given the increasing reliance on cloud-native security and compute management in Europe, especially in regulated sectors like finance, healthcare, and critical infrastructure, unauthorized access could have compliance and operational repercussions. However, the vulnerability requires partial privileges and user interaction, which somewhat limits exploitation likelihood.

European organizations should implement immediate compensating controls while awaiting official patches. These include enforcing strict session timeout policies independent of user account status, manually invalidating all active sessions when deleting user accounts, and monitoring session activity for anomalies. Administrators should audit user deletions and ensure that session revocation mechanisms are in place, possibly through API calls or direct session store management. Additionally, organizations should restrict privileges to minimize the number of users with access to Prisma Cloud Compute Edition and enforce multi-factor authentication to reduce the risk of session hijacking. Network segmentation and monitoring of Prisma Cloud management traffic can help detect unauthorized access attempts. Finally, organizations should stay updated with Palo Alto Networks advisories for patches or updates addressing this issue and apply them promptly once available.