Palo Alto Exposes Passwords in Plain Text

Palo Alto Networks recently disclosed a security flaw (CVE-2025-4235) that leaves service account passwords completely exposed in cleartext.

CVE-2025-4235 hits their User-ID Credential Agent, affecting Windows versions >= 11.0.2-133 and < 11.0.3. This is not just a typical software bug. It is a security issue that turns enterprise firewalls into credential goldmines for attackers.

But it gets worse. Researchers called out an earlier issue in Palo Alto’s password handling. They were able to pull not only VPN credentials, but also deactivate and uninstall passwords from GlobalProtect clients.

Why this cleartext vulnerability represents something far worse

This latest vulnerability does more than expose passwords. It exposes a pattern. When the companies that protect everyone else cannot manage basic credential security, that is a warning siren you can hear from space.

The timing could not be worse for Palo Alto Networks. Back in January of 2025, they disclosed multiple vulnerabilities in their Expedition migration tool that enable an attacker to read Expedition database contents and arbitrary files containing usernames, cleartext passwords, device configurations, and device API keys for firewalls running PAN-OS software.

These incidents are no longer isolated. The company has been battling a string of critical vulnerabilities, including the notorious CVE-2024-3400 from 2024. That one scored a 10.0 CVSS rating and allowed an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Security firm Volexity identified that it was a China-based threat actor actively exploiting these flaws.

The disturbing pattern behind Palo Alto security failures

Look closely and the same weakness keeps popping up, catastrophic credential management. Those Expedition tool issues from months ago included an OS command injection vulnerability that resulted in disclosure of usernames, cleartext passwords, device configurations, and device API keys.

Meanwhile, researchers have been pulling credentials from GlobalProtect installations like candy from a piñata. One security team reported that the credentials to access the VPN were different than the ones used to log on to the machine, so they walked away with a second set of credentials for relay into the environment.

Additionally, earlier in 2025, CVE-2025-0120 let a local Windows user escalate their privileges to NT AUTHORITY\SYSTEM, with no special configuration required to be affected.

What this means for your organization right now

The cleartext password exposure in CVE-2025-4235 creates immediate risk. Unlike encrypted credentials that require heavier lifting to crack, cleartext passwords can be harvested on sight by anyone with system access, malware, an insider, or an attacker who already has a foothold.

If you run affected Palo Alto systems, assume compromise and move fast. Update to version 11.0.3 or later, rotate all service account passwords, and turn up monitoring for odd authentication patterns. The recent disclosure means attackers are already thinking about how to use it.

This vulnerability joins a growing list of Palo Alto security failures that have exposed organizations to nation-state actors and cybercriminals. With cleartext passwords now confirmed as a recurring issue across multiple Palo Alto products, security teams have to ask a hard question:

Is your network security stack protecting you? Or is it quietly creating new attack paths for determined adversaries?