Palo Alto User-ID Credential Agent: Cleartext Exposure of Service Account password (CVE-2025-4235)

CVE number = CVE-2025-4235

An information exposure vulnerability in the Palo Alto Networks User-ID Credential Agent (Windows-based) can expose the service account password under specific non-default configurations. This allows an unprivileged Domain User to escalate privileges by exploiting the account’s permissions. The impact varies by configuration:

• Minimally Privileged Accounts: Enable disruption of User-ID Credential Agent operations (e.g., uninstalling or disabling the agent service), weakening network security policies that leverage Credential Phishing Prevention under a Domain Credential Filter configuration.
• Elevated Accounts (Server Operator, Domain Join, Legacy Features): Permit increased impacts, including server control (e.g., shutdown/restart), domain manipulation (e.g., rogue computer objects), and network compromise via reconnaissance or client probing. 

Workarounds and Mitigations

• By default, Domain Users cannot log in to Domain Controllers. However, this can be changed through Group Policy. To reduce privilege escalation risks, review the “Allow log on locally” setting in the Default Domain Controllers Policy and remove any Domain Users listed there. Windows Server 2019 and 2022 path:
  • Group Policy Management > Domain Controllers > Select GPO (Edit) > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > “Allow log on locally”.
• Refer to the “Create a Dedicated Service Account for the User-ID Agent” and “Configure Credential Detection with the Windows User-ID Agent” guidelines to ensure service accounts are configured with appropriate permissions and restrictions.

Further details at – https://security.paloaltonetworks.com/CVE-2025-4235