CVE-2025-4235 is a vulnerability classified under CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere) affecting the Palo Alto Networks User-ID Credential Agent on Windows platforms. This agent is responsible for integrating user identity information into Palo Alto Networks security policies. The vulnerability arises when the service account password is exposed due to specific non-default configurations, allowing an unprivileged Domain User to obtain sensitive credentials. Once the password is exposed, the attacker can escalate privileges based on the permissions assigned to the service account. For minimally privileged accounts, attackers can disrupt the User-ID Credential Agent service, potentially uninstalling or disabling it, which undermines security features such as Credential Phishing Prevention under Domain Credential Filter configurations. For accounts with elevated privileges (e.g., Server Operator, Domain Join, Legacy Features), the attacker can perform more severe actions including server shutdown or restart, creation of rogue computer objects in the domain, and reconnaissance or probing of network clients, potentially leading to broader network compromise. The vulnerability requires local access with low privileges and does not require user interaction. The CVSS 4.0 vector indicates low attack complexity, partial privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No patches or exploits are currently documented, but the vulnerability is publicly disclosed and rated high severity.

The vulnerability poses a significant risk to organizations using Palo Alto Networks User-ID Credential Agent, especially those with non-default configurations that expose service account credentials. Attackers with low-level domain access can escalate privileges, potentially gaining control over critical servers and domain infrastructure. This can lead to disruption of security enforcement mechanisms, weakening defenses against credential phishing and other attacks. Elevated privilege exploitation can result in domain manipulation, unauthorized server control, and network reconnaissance, increasing the risk of lateral movement and widespread compromise. The impact extends to confidentiality, integrity, and availability of network security operations, potentially affecting sensitive corporate data and critical infrastructure. Organizations relying on Palo Alto Networks security policies that integrate User-ID information are particularly at risk, as disabling or uninstalling the agent can degrade security posture.

Organizations should audit and review the configuration of the User-ID Credential Agent, ensuring service accounts have the least privilege necessary and avoid non-default configurations that expose passwords. Implement strict access controls to prevent unprivileged domain users from accessing service account credentials. Monitor and restrict permissions for accounts with elevated privileges such as Server Operator or Domain Join roles. Employ robust logging and alerting to detect unusual activities related to the User-ID Credential Agent service, including service stoppage or uninstallation attempts. Regularly update and patch Palo Alto Networks software as updates become available, even though no patches are currently listed, stay alert for vendor advisories. Consider isolating the User-ID Credential Agent service account from other critical domain roles to limit potential damage. Conduct periodic security assessments and penetration testing focused on privilege escalation paths involving service accounts. Finally, educate administrators on secure configuration best practices for Palo Alto Networks products to prevent inadvertent exposure.