Skip to main content

CVE-2025-0138: CWE-613 Insufficient Session Expiration in Palo Alto Networks Prisma Cloud Compute Edition

Low
VulnerabilityCVE-2025-0138cvecve-2025-0138cwe-613
Published: Wed May 14 2025 (05/14/2025, 18:10:16 UTC)
Source: CVE
Vendor/Project: Palo Alto Networks
Product: Prisma Cloud Compute Edition

Description

Web sessions in the web interface of Palo Alto Networks Prisma® Cloud Compute Edition do not expire when users are deleted, which makes Prisma Cloud Compute Edition susceptible to unauthorized access. Compute in Prisma Cloud Enterprise Edition is not affected by this issue.

AI-Powered Analysis

AILast updated: 07/06/2025, 13:39:56 UTC

Technical Analysis

CVE-2025-0138 is a vulnerability identified in Palo Alto Networks Prisma Cloud Compute Edition version 1, classified under CWE-613 (Insufficient Session Expiration). The issue arises because web sessions in the Prisma Cloud Compute Edition web interface do not expire when users are deleted. This means that even after a user account is removed from the system, any active session tokens or cookies associated with that user remain valid and can be used to access the system without re-authentication. This behavior creates a window of opportunity for unauthorized access, as former users or attackers who have obtained session tokens can continue to interact with the system despite the user’s deletion. The vulnerability does not affect the Prisma Cloud Enterprise Edition Compute component, limiting the scope to the Compute Edition only. The CVSS 4.0 base score is 2.0, indicating a low severity level. The vector indicates that the attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring partial privileges (PR:L), and user interaction (UI:A). The vulnerability impacts confidentiality (V:D) and integrity (VI:L) to a limited extent but does not affect availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The root cause is insufficient session management, specifically the failure to invalidate sessions upon user deletion, which is a common security best practice to prevent unauthorized access from stale sessions.

Potential Impact

For European organizations using Prisma Cloud Compute Edition, this vulnerability could lead to unauthorized access to cloud compute management interfaces if user accounts are deleted but their sessions remain active. This could allow attackers or former employees to maintain access to sensitive cloud infrastructure management functions, potentially leading to data exposure or manipulation of cloud workloads. While the severity is rated low, the risk is heightened in environments with high user turnover or where session tokens are not otherwise tightly controlled. The impact on confidentiality and integrity, although limited, could be significant if attackers leverage this flaw to escalate privileges or move laterally within cloud environments. Given the increasing reliance on cloud-native security and compute management in Europe, especially in regulated sectors like finance, healthcare, and critical infrastructure, unauthorized access could have compliance and operational repercussions. However, the vulnerability requires partial privileges and user interaction, which somewhat limits exploitation likelihood.

Mitigation Recommendations

European organizations should implement immediate compensating controls while awaiting official patches. These include enforcing strict session timeout policies independent of user account status, manually invalidating all active sessions when deleting user accounts, and monitoring session activity for anomalies. Administrators should audit user deletions and ensure that session revocation mechanisms are in place, possibly through API calls or direct session store management. Additionally, organizations should restrict privileges to minimize the number of users with access to Prisma Cloud Compute Edition and enforce multi-factor authentication to reduce the risk of session hijacking. Network segmentation and monitoring of Prisma Cloud management traffic can help detect unauthorized access attempts. Finally, organizations should stay updated with Palo Alto Networks advisories for patches or updates addressing this issue and apply them promptly once available.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
palo_alto
Date Reserved
2024-12-20T23:24:41.254Z
Cisa Enriched
true
Cvss Version
4.0
State
PUBLISHED

Threat ID: 682cd0fb1484d88663aec884

Added to database: 5/20/2025, 6:59:07 PM

Last enriched: 7/6/2025, 1:39:56 PM

Last updated: 8/15/2025, 5:30:56 AM

Views: 18

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats