CVE-2025-4616

Palo Alto Networks Prisma Access Browser (PAB) - Bypassing security controls via signature replay attack

CVE ID

CVE-2025-4616

Description

A weakness in the Palo Alto Networks Prisma Access Browser (PAB) signature verification logic allows an attacker to replay a different policy with a valid signature, effectively bypassing the intended integrity protections.

Tested Versions

131.109.2963.1

Details

Palo Alto Networks Prisma Access Browser (PAB) is an enterprise browser which emerged as a critical security control for organisations seeking to protect sensitive data and enforce security policies in cloud-first environments.

Timeline

• 2024-12-30 - Vendor Disclosure
• 2025-11-06 - Vendor Patched
• 2025-11-13 - Public Release

Credit

Discovered by Tan Inn Fung, Yu Ann Ong, Zhang Bosen from the GovTech Cybersecurity Group.