[Palo Alto Networks Security Advisories] CVE-2025-0117 GlobalProtect App: Local Privilege Escalation (PE) Vulnerability

March 12, 2025

Palo Alto Networks Security Advisories /CVE-2025-0117

CVE-2025-0117 GlobalProtect App: Local Privilege Escalation (PE) Vulnerability

UrgencyMODERATE

047910
Severity4.3 ·MEDIUM
Exploit MaturityUNREPORTED
Response EffortMODERATE
RecoveryUSER
Value DensityDIFFUSE
Attack ComplexityLOW
Attack RequirementsNONE
AutomatableNO
User InteractionPASSIVE
Product ConfidentialityNONE
Product IntegrityHIGH
Product AvailabilityNONE
Privileges RequiredLOW
Subsequent ConfidentialityHIGH
Subsequent IntegrityHIGH
Subsequent AvailabilityHIGH
CVEJSONCSAF
Published2025-03-12
Updated2025-03-12
ReferenceGPC-19863
Discoveredexternally

Description

A reliance on untrusted input for a security decision in the GlobalProtect app on Windows devices potentially enables a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY\SYSTEM.

GlobalProtect App on macOS, Linux, iOS, Android, Chrome OS and GlobalProtect UWP App are not affected.

Product Status

VersionsAffectedUnaffected
GlobalProtect AppNone on iOS
None on Android
None on Chrome OS
None on macOS
All on iOS
All on Android
All on Chrome OS
All on macOS
GlobalProtect App 6.3< 6.3.3 on Windows
>= 6.3.3 on Windows (ETA: April 2025)
GlobalProtect App 6.2< 6.2.6 on Windows
>= 6.2.6 on Windows
GlobalProtect App 6.1All on Windows
None on Windows
GlobalProtect App 6.0All on Windows
None on Windows
GlobalProtect UWP AppNone
All

Required Configuration for Exposure

No special configuration is required to be vulnerable to this issue.

Severity:MEDIUM, Suggested Urgency:MODERATE

A local Windows user (or malware) with non-administrative rights elevates their privileges to NT AUTHORITY\SYSTEM.
CVSS-BT:4.3 /CVSS-B:7.1 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:U/AU:N/R:U/V:D/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type and Impact

CWE-807 Reliance on Untrusted Inputs in a Security Decision

CAPEC-233 Privilege Escalation

Solution

Version
Suggested Solution
GlobalProtect App 6.3 on Windows
Upgrade to 6.3.3 or later
GlobalProtect App 6.2 on Windows
Upgrade to 6.2.6 or later
GlobalProtect App 6.1 on Windows
Upgrade to 6.2.6 or later or upgrade to 6.3.3 or later
GlobalProtect App 6.0 on Windows
Upgrade to 6.2.6 or later or upgrade to 6.3.3 or later
GlobalProtect App on LinuxNo action needed
GlobalProtect App on iOSNo action needed
GlobalProtect App on AndroidNo action needed
GlobalProtect UWP AppNo action needed

Solution for new and existing GlobalProtect app installation on Windows

You can use your endpoint mobile device management (MDM) tools to apply the following changes:
  1. Install a fixed version of the GlobalProtect app.
  2. Update the following registry key with the specified value (uses the REG_SZ type):
    [HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings]
    “check-communication”=”yes”
  3. Restart the operating system to apply this registry change.

Alternate solution for new GlobalProtect app installation on Windows

Install the GlobalProtect app with the pre-deployment key CHECKCOMM set to “yes”:

msiexec.exe /i GlobalProtect64.msi CHECKCOMM="yes"

Note: This command adds the registry value from the previous solution instructions—no additional MSI options are needed.

Workarounds and Mitigations

No workaround or mitigation is available.

Acknowledgments

Palo Alto Networks thanks Maxime ESCOURBIAC, Michelin CERT, Yassine BENGANA, Abicom for Michelin CERT, and Handelsbanken AB F-Secure for discovering and reporting the issue.

CPEs

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.2:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.1:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.0:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.4:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.3:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.2:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.1:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.0:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.2:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.1:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.0:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.4:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.3:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.2:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.1:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.0:-:*:*:*:*:*:*

Timeline

Initial Publication

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

To keep up to date follow us on the below channels.

Tags: , ,

You may have missed

image

[CACTUS] – Ransomware Victim: thermoid[.]com

March 12, 2025
image

[CACTUS] – Ransomware Victim: baillie[.]com

March 12, 2025
image

[CACTUS] – Ransomware Victim: tempel[.]com

March 12, 2025
image

[FUNKSEC] – Ransomware Victim: extremeperformance[.]com

March 12, 2025
image

[BABUK2] – Ransomware Victim: hitekgroup[.]in india Finance

March 12, 2025