Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN605
_____________________________________________________________________

DATE                : 12/09/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running User-ID Credential Agent.

=====================================================================
https://security.paloaltonetworks.com/CVE-2025-4235
_____________________________________________________________________

CVE-2025-4235 User-ID Credential Agent: Cleartext Exposure of Service
Account password

Urgency MODERATE

047910

Severity 4.2 · MEDIUM
Exploit Maturity UNREPORTED
Response Effort MODERATE
Recovery USER
Value Density DIFFUSE
Attack Vector LOCAL
Attack Complexity LOW
Attack Requirements PRESENT
Automatable NO
User Interaction NONE
Product Confidentiality HIGH
Product Integrity LOW
Product Availability LOW
Privileges Required LOW
Subsequent Confidentiality HIGH
Subsequent Integrity HIGH
Subsequent Availability HIGH
CVE JSON CSAF
Published 2025-09-10
Updated 2025-09-10
Reference WINAGENT-1130
Discovered externally


Description

An information exposure vulnerability in the Palo Alto Networks
User-ID Credential Agent (Windows-based) can expose the service
account password under specific non-default configurations. This
allows an unprivileged Domain User to escalate privileges by
exploiting the account’s permissions. The impact varies by
configuration:

    Minimally Privileged Accounts: Enable disruption of User-ID
Credential Agent operations (e.g., uninstalling or disabling the
agent service), weakening network security policies that leverage
Credential Phishing Prevention under a Domain Credential Filter
configuration.
    Elevated Accounts (Server Operator, Domain Join, Legacy
Features): Permit increased impacts, including server control
(e.g., shutdown/restart), domain manipulation (e.g., rogue
computer objects), and network compromise via reconnaissance
or client probing. 


Product Status

Versions                    Affected            Unaffected
User-ID Credential Agent 11.0.0	    >= 11.0.2-133 on Windows
< 11.0.3 on Windows,  < 11.0.2-133 on Windows
            >= 11.0.3 on Windows

Severity: MEDIUM, Suggested Urgency: MODERATE

Elevated Service Accounts
MEDIUM - CVSS-BT: 4.2 /CVSS-B: 7.2 (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:U/AU:N/R:U/V:D/RE:M/U:Amber)

Minimally Privileged Service Account
LOW - CVSS-BT: 1.9 /CVSS-B: 5.8 (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Amber)


Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of
this issue.


Weakness Type and Impact

CWE-497 Exposure of Sensitive System Information to an Unauthorized
Control Sphere

CAPEC-37: Retrieve Embedded Sensitive Data


Solution

Version
	Minor Version
	Suggested Solution
User-ID Credential Agent 11.0 on Windows
	11.0.2-133	Upgrade to 11.0.3 or later
 	11.0.0 through 11.0.1-104	No action needed.

Workarounds and Mitigations

    By default, Domain Users cannot log in to Domain Controllers. However,
this can be changed through Group Policy. To reduce privilege escalation
risks, review the "Allow log on locally" setting in the Default Domain
Controllers Policy and remove any Domain Users listed there.
Windows Server 2019 and 2022 path:
        Group Policy Management > Domain Controllers > Select GPO (Edit) > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > "Allow log on locally".
    Refer to the "Create a Dedicated Service Account for the User-ID Agent"
and "Configure Credential Detection with the Windows User-ID Agent"
guidelines to ensure service accounts are configured with appropriate
permissions and restrictions.

Acknowledgments
Palo Alto Networks thanks an external reporter for discovering and
reporting this issue.


CPE Applicability

Timeline
2025-09-10         Initial Publication

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================