A newly disclosed vulnerability in Palo Alto Networks’ User-ID Credential Agent for Windows, identified as CVE-2025-4235, could expose a service account’s password in cleartext under certain non-standard configurations.
This flaw creates a significant security risk, as it could allow an unprivileged domain user to escalate their privileges by exploiting the compromised account’s permissions.
The vulnerability has been rated as having a medium severity. The information exposure vulnerability resides within the Windows-based User-ID Credential Agent and is triggered by specific, non-default settings.
The primary danger lies in the potential for privilege escalation. The impact of the vulnerability varies depending on the level of permissions assigned to the service account in question.
If the account has minimally privileged access, an attacker could disrupt the operations of the User-ID Credential Agent.
Palo Alto Networks User-ID Credential
This could involve actions like uninstalling or disabling the agent’s service, which in turn would weaken network security policies that rely on features like Credential Phishing Prevention.
However, if the service account has elevated privileges such as those of a Server Operator or permissions for Domain Join, the consequences are more severe.
An attacker could gain control over the server, with the ability to shut it down or restart it, manipulate the domain by adding rogue computer objects, or conduct network reconnaissance.
According to the security advisory released by Palo Alto Networks, specific versions of the User-ID Credential Agent are affected by this vulnerability.
The affected versions on Windows are 11.0.2-133 up to, but not including, version 11.0.3. Versions prior to 11.0.2-133 and version 11.0.3 and later are not affected.
To address this security issue, Palo Alto Networks has advised customers to upgrade their User-ID Credential Agent to version 11.0.3 or a later release.
The company has stated that there are no known workarounds to mitigate this issue, making the software update the only recommended solution.
The severity of this vulnerability depends on the configuration. For systems with elevated service accounts, the vulnerability is rated as Medium, with a CVSS score of 7.2.
For configurations with a minimally privileged service account, the rating is Low, with a CVSS score of 5.8. Palo Alto Networks has stated that it is not aware of any malicious exploitation of this vulnerability in the wild.
This vulnerability highlights the ongoing risks associated with misconfigurations and the importance of adhering to security best practices, especially when dealing with privileged accounts.
