https://live.paloaltonetworks.com/t5/next-generation-firewall/clarification-needed-pan-os-11-2-x-vulnerability-status-and/m-p/1241901#M6445 <P>&nbsp;</P> <P><STRONG>1) Version Clarification&nbsp;<BR /></STRONG><EM>Is PAN-OS 11.2.x (specifically 11.2.4-h1) affected by CVE-2023-48795 (Terrapin SSH Attack)? The advisory lists up to 11.1.x but does not mention 11.2.x.&nbsp;<BR /></EM><STRONG>2) Mitigation Confirmation&nbsp;<BR /></STRONG><EM>If 11.2.x is affected, does disabling chacha20-poly1305<CODE></CODE>and Encrypt-then-MAC algorithms fully mitigate the risk, or is an upgrade required?&nbsp;<BR /></EM><STRONG>3) Hotfix Details&nbsp;<BR /></STRONG><EM>Does the hotfix version 11.2.4-h1 include the patch for CVE-2023-48795, or do we need to move to 11.2.4-h4 or later?<STRONG>4)</STRONG>&nbsp;</EM><STRONG>Future Advisory Updates&nbsp;<BR /></STRONG><EM>Will Palo Alto update the official advisory to include PAN-OS 11.2.x status for CVE-2023-48795?&nbsp;<BR /></EM><STRONG>5) Best Practice&nbsp;<BR /></STRONG><EM>What is the recommended approach for customers running PAN-OS 11.2.x regarding Terrapin SSH vulnerability—upgrade path or configuration hardening?</EM></P> <P>&nbsp;</P> Fri, 14 Nov 2025 13:15:39 GMT N.Parre 2025-11-14T13:15:39Z https://live.paloaltonetworks.com/t5/next-generation-firewall/clarification-needed-pan-os-11-2-x-vulnerability-status-and/m-p/1241901#M6445 <P>&nbsp;</P> <P><STRONG>1) Version Clarification&nbsp;<BR /></STRONG><EM>Is PAN-OS 11.2.x (specifically 11.2.4-h1) affected by CVE-2023-48795 (Terrapin SSH Attack)? The advisory lists up to 11.1.x but does not mention 11.2.x.&nbsp;<BR /></EM><STRONG>2) Mitigation Confirmation&nbsp;<BR /></STRONG><EM>If 11.2.x is affected, does disabling chacha20-poly1305<CODE></CODE>and Encrypt-then-MAC algorithms fully mitigate the risk, or is an upgrade required?&nbsp;<BR /></EM><STRONG>3) Hotfix Details&nbsp;<BR /></STRONG><EM>Does the hotfix version 11.2.4-h1 include the patch for CVE-2023-48795, or do we need to move to 11.2.4-h4 or later?<STRONG>4)</STRONG>&nbsp;</EM><STRONG>Future Advisory Updates&nbsp;<BR /></STRONG><EM>Will Palo Alto update the official advisory to include PAN-OS 11.2.x status for CVE-2023-48795?&nbsp;<BR /></EM><STRONG>5) Best Practice&nbsp;<BR /></STRONG><EM>What is the recommended approach for customers running PAN-OS 11.2.x regarding Terrapin SSH vulnerability—upgrade path or configuration hardening?</EM></P> <P>&nbsp;</P> Fri, 14 Nov 2025 13:15:39 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/clarification-needed-pan-os-11-2-x-vulnerability-status-and/m-p/1241901#M6445 N.Parre 2025-11-14T13:15:39Z https://live.paloaltonetworks.com/t5/next-generation-firewall/clarification-needed-pan-os-11-2-x-vulnerability-status-and/m-p/1241902#M6446 <P>according to&nbsp;<A href="https://security.paloaltonetworks.com/CVE-2023-48795" target="_blank">https://security.paloaltonetworks.com/CVE-2023-48795</A></P> <P>1) 11.2 is not affected</P> <P>2) 11.2 is not affected so no mitigation required</P> <P>3) it looks like this issue was either fully addressed by the time 11.2.0 came into GA hence the whole train is not affected, or a library causing this vulnerability in previous versions is not present in 11.2</P> <P>4) according to the article, 11.2.0 is already unaffected, so later versions will also be unaffected. relapse to vulnerability in 11.2 would have been documented as such</P> <P>5) if you believe the above information is incorrect, please open a support case for an authoritative answer from a source inside palo alto</P> Fri, 14 Nov 2025 13:42:38 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/clarification-needed-pan-os-11-2-x-vulnerability-status-and/m-p/1241902#M6446 reaper 2025-11-14T13:42:38Z