CVE-2025-0117 GlobalProtect App: Local Privilege Escalation (PE) Vulnerability
Description
A reliance on untrusted input for a security decision in the GlobalProtect app on Windows devices potentially enables a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY\SYSTEM.
GlobalProtect App on macOS, Linux, iOS, Android, Chrome OS and GlobalProtect UWP App are not affected.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| GlobalProtect App | None on iOS None on Android None on Chrome OS None on macOS | All on iOS All on Android All on Chrome OS All on macOS |
| GlobalProtect App 6.3 | < 6.3.3 on Windows | >= 6.3.3 on Windows (ETA: April 2025)* |
| GlobalProtect App 6.2 | < 6.2.6 on Windows | >= 6.2.6 on Windows* |
| GlobalProtect App 6.1 | All on Windows | None on Windows |
| GlobalProtect App 6.0 | All on Windows | None on Windows |
| GlobalProtect UWP App | None | All |
* In addition to the software updates listed above, additional steps are required to protect against this vulnerability. See the Solution section for full details.
Required Configuration for Exposure
No special configuration is required to be vulnerable to this issue.
Severity: MEDIUM, Suggested Urgency: MODERATE
A local Windows user (or malware) with non-administrative rights elevates their privileges to NT AUTHORITY\SYSTEM.
CVSS-BT:
4.3 /
CVSS-B:
7.1 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:U/AU:N/R:U/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-807 Reliance on Untrusted Inputs in a Security Decision
CAPEC-233 Privilege Escalation
Solution
| Version | Suggested Solution |
|---|---|
| GlobalProtect App 6.3 on Windows | Upgrade to 6.3.3 or later* |
| GlobalProtect App 6.2 on Windows | Upgrade to 6.2.6 or later* |
| GlobalProtect App 6.1 on Windows | Upgrade to 6.2.6 or later or upgrade to 6.3.3 or later* |
| GlobalProtect App 6.0 on Windows | Upgrade to 6.2.6 or later or upgrade to 6.3.3 or later* |
| GlobalProtect App on Linux | No action needed |
| GlobalProtect App on iOS | No action needed |
| GlobalProtect App on Android | No action needed |
| GlobalProtect UWP App | No action needed |
* In addition to the software updates listed above, additional steps are required to protect against this vulnerability as described below:
Solution for new and existing GlobalProtect app installation on Windows
You can use your endpoint mobile device management (MDM) tools to apply the following changes:- Install a fixed version of the GlobalProtect app.
- Update the following registry key with the specified value (uses the REG_SZ type):
[HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings]
"check-communication"="yes" - Restart the operating system to apply this registry change.
Alternate solution for new GlobalProtect app installation on Windows
Install the GlobalProtect app with the pre-deployment key CHECKCOMM set to "yes":
msiexec.exe /i GlobalProtect64.msi CHECKCOMM="yes"
Note: This command adds the registry value from the previous solution instructions—no additional MSI options are needed.
Workarounds and Mitigations
No workaround or mitigation is available.
Acknowledgments
CPEs
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.2:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.1:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.0:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.4:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.3:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.2:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.1:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.0:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.2:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.1:-:*:*:*:*:*:*