An unauthenticated Server‑Side Request Forgery (SSRF) flaw in IKEv2 certificate URL fetching routine allows an attacker to force a Palo Alto Networks PAN‑OS device to send HTTP or HTTPS requests to arbitrary internal or external servers. The vulnerability, classified as CWE‑918, can be leveraged to probe internal network resources or exhaust firewall resources, potentially resulting in a denial of service. It carries a CVSS score of 4.8.

The flaw affects Palo Alto Networks Cloud NGFW, PAN‑OS, and Prisma Access product lines. For PAN‑OS, affected versions include 10.2.0 up through 10.2.18‑h5, 11.1.x through 11.1.14-h33, 11.2.x through 11.2.11, and 12.1.x through 12.1.6. Specific upgrade guidance is provided by Palo Alto Networks: upgrade to 10.2.18‑h6 or later, 11.1.15 or later, 11.2.12 or later, or 12.1.7 or later. Cloud NGFW and Prisma Access are not impacted and require no action; older unsupported PAN‑OS versions should be upgraded to a supported fixed release.

The risk is moderate due to the moderate CVSS score and the lack of an authentication requirement. However, the vulnerability can be exploited remotely by any party that can initiate an IKEv2 VPN connection to the device, enabling an attacker to trigger either unintended internal requests or a DoS condition. EPSS information is not available, and the vulnerability is not included in the CISA KEV catalog, limiting known exploit activity to date. The attack would involve sending a crafted IKEv2 packet containing a malicious URL in the certificate request, which the device then fetches without proper validation.