/
CVE-2025-0117CVE-2025-0117 GlobalProtect App: Local Privilege Escalation (PE) Vulnerability
Exploit MaturityUNREPORTED
Response EffortMODERATE
RecoveryUSER
Value DensityDIFFUSE
Attack VectorLOCAL
Attack ComplexityLOW
Attack RequirementsNONE
AutomatableNO
User InteractionPASSIVE
Product ConfidentialityNONE
Product IntegrityHIGH
Product AvailabilityNONE
Privileges RequiredLOW
Subsequent ConfidentialityHIGH
Subsequent IntegrityHIGH
Subsequent AvailabilityHIGH
Description
A reliance on untrusted input for a security decision in the GlobalProtect app on Windows devices potentially enables a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY\SYSTEM.
GlobalProtect App on macOS, Linux, iOS, Android, Chrome OS and GlobalProtect UWP App are not affected.
Product Status
Required Configuration for Exposure
No special configuration is required to be vulnerable to this issue.
Severity:MEDIUM, Suggested Urgency:MODERATE
A local Windows user (or malware) with non-administrative rights elevates their privileges to NT AUTHORITY\SYSTEM.
CVSS-BT:4.3 /CVSS-B:7.1 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:U/AU:N/R:U/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-807 Reliance on Untrusted Inputs in a Security Decision
CAPEC-233 Privilege Escalation
Solution
| Version | Suggested Solution |
|---|---|
| GlobalProtect App 6.3 on Windows | Upgrade to 6.3.3 or later |
| GlobalProtect App 6.2 on Windows | Upgrade to 6.2.6 or later |
| GlobalProtect App 6.1 on Windows | Upgrade to 6.2.6 or later or upgrade to 6.3.3 or later |
| GlobalProtect App 6.0 on Windows | Upgrade to 6.2.6 or later or upgrade to 6.3.3 or later |
| GlobalProtect App on Linux | No action needed |
| GlobalProtect App on iOS | No action needed |
| GlobalProtect App on Android | No action needed |
| GlobalProtect UWP App | No action needed |
Solution for new and existing GlobalProtect app installation on Windows
You can use your endpoint mobile device management (MDM) tools to apply the following changes:
- Install a fixed version of the GlobalProtect app.
Update the following registry key with the specified value (uses the REG_SZ type):
[HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings]
"check-communication"="yes"Restart the operating system to apply this registry change.
Alternate solution for new GlobalProtect app installation on Windows
Install the GlobalProtect app with the pre-deployment key CHECKCOMM set to "yes":
msiexec.exe /i GlobalProtect64.msi CHECKCOMM="yes"
Note: This command adds the registry value from the previous solution instructions—no additional MSI options are needed.
Workarounds and Mitigations
No workaround or mitigation is available.
Acknowledgments
Palo Alto Networks thanks Maxime ESCOURBIAC, Michelin CERT, Yassine BENGANA, Abicom for Michelin CERT, and Handelsbanken AB F-Secure for discovering and reporting the issue.
CPEs
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.2:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.1:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.0:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.4:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.3:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.2:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.1:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.0:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.2:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.1:-:*:*:*:*:*:*
Timeline
Initial Publication
