CVE-2025-0117 GlobalProtect App: Local Privilege Escalation (PE) Vulnerability
Description
A reliance on untrusted input for a security decision in the GlobalProtect app on Windows devices potentially enables a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY\SYSTEM.
GlobalProtect App on macOS, Linux, iOS, Android, Chrome OS and GlobalProtect UWP App are not affected.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| GlobalProtect App | None on iOS None on Android None on Chrome OS None on macOS | All on iOS All on Android All on Chrome OS All on macOS |
| GlobalProtect App 6.3 | < 6.3.3 on Windows | >= 6.3.3 on Windows (ETA: April 2025) |
| GlobalProtect App 6.2 | < 6.2.6 on Windows | >= 6.2.6 on Windows |
| GlobalProtect App 6.1 | All on Windows | None on Windows |
| GlobalProtect App 6.0 | All on Windows | None on Windows |
| GlobalProtect UWP App | None | All |
Required Configuration for Exposure
No special configuration is required to be vulnerable to this issue.
Severity: MEDIUM, Suggested Urgency: MODERATE
A local Windows user (or malware) with non-administrative rights elevates their privileges to NT AUTHORITY\SYSTEM.
CVSS-BT:
4.3 /
CVSS-B:
7.1 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:U/AU:N/R:U/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-807 Reliance on Untrusted Inputs in a Security Decision
CAPEC-233 Privilege Escalation
Solution
| Version | Suggested Solution |
|---|---|
| GlobalProtect App 6.3 on Windows | Upgrade to 6.3.3 or later |
| GlobalProtect App 6.2 on Windows | Upgrade to 6.2.6 or later |
| GlobalProtect App 6.1 on Windows | Upgrade to 6.2.6 or later or upgrade to 6.3.3 or later |
| GlobalProtect App 6.0 on Windows | Upgrade to 6.2.6 or later or upgrade to 6.3.3 or later |
| GlobalProtect App on Linux | No action needed |
| GlobalProtect App on iOS | No action needed |
| GlobalProtect App on Android | No action needed |
| GlobalProtect UWP App | No action needed |
Solution for new and existing GlobalProtect app installation on Windows
You can use your endpoint mobile device management (MDM) tools to apply the following changes:- Install a fixed version of the GlobalProtect app.
- Update the following registry key with the specified value (uses the REG_SZ type):
[HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings]
"check-communication"="yes" - Restart the operating system to apply this registry change.
Alternate solution for new GlobalProtect app installation on Windows
Install the GlobalProtect app with the pre-deployment key CHECKCOMM set to "yes":
msiexec.exe /i GlobalProtect64.msi CHECKCOMM="yes"
Note: This command adds the registry value from the previous solution instructions—no additional MSI options are needed.
Workarounds and Mitigations
No workaround or mitigation is available.
Acknowledgments
CPEs
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.2:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.1:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.0:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.4:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.3:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.2:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.1:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.0:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.2:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.1:-:*:*:*:*:*:*