CVE-2025-4232 GlobalProtect: Authenticated Code Injection Through Wildcard on macOS

Palo Alto Networks Security Advisories / CVE-2025-4232

CVE-2025-4232 GlobalProtect: Authenticated Code Injection Through Wildcard on macOS

Urgency MODERATE

Severity 5.7 · MEDIUM

Exploit Maturity UNREPORTED

Response Effort MODERATE

Recovery USER

Value Density DIFFUSE

Attack Vector LOCAL

Attack Complexity LOW

Attack Requirements NONE

Automatable NO

User Interaction NONE

Product Confidentiality NONE

Product Integrity HIGH

Product Availability NONE

Privileges Required LOW

Subsequent Confidentiality HIGH

Subsequent Integrity HIGH

Subsequent Availability HIGH

CVE JSON CSAF

Published 2025-06-11

Updated 2025-07-16

Reference GPC-21969

Discovered externally

Description

An improper neutralization of wildcards vulnerability in the log collection feature of Palo Alto Networks GlobalProtect™ app on macOS allows a non administrative user to escalate their privileges to root.

Product Status

Versions	Affected	Unaffected
GlobalProtect App	None on Windows, Linux, Android, iOS, Chrome OS	All on Windows, Linux, Android, iOS, Chrome OS
GlobalProtect App 6.3	< 6.3.3 on macOS	>= 6.3.3 on macOS
GlobalProtect App 6.2	< 6.2.8-h2 [6.2.8-c243] on macOS	>= 6.2.8-h2 [6.2.8-c243] on macOS
GlobalProtect App 6.1	All on macOS	None on macOS
GlobalProtect App 6.0	All on macOS	None on macOS

Required Configuration for Exposure

No special configuration is required to be affected by this issue.

Severity: MEDIUM, Suggested Urgency: MODERATE

CVSS-BT: 5.7 / CVSS-B: 8.4 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:U/AU:N/R:U/V:D/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type and Impact

CWE-155: Improper Neutralization of Wildcards or Matching Symbols

CAPEC-248 Command Injection

Solution

Version	Minor Version	Suggested Solution
GlobalProtect App 6.3 on macOS	6.3.0 through 6.3.2	Upgrade to 6.3.3 or later.
GlobalProtect App 6.2 on macOS	6.2.0 through 6.2.8-223	Upgrade to 6.2.8-c243 or later.
GlobalProtect App 6.1 on macOS		Upgrade to 6.2.8-c243or 6.3.3 or later.
GlobalProtect App 6.0 on macOS		Upgrade to 6.2.8-c243 or 6.3.3 or later.
GlobalProtect App on Windows		No action needed.
GlobalProtect App on Linux		No action needed.
GlobalProtect App on Android		No action needed.
GlobalProtect App on iOS		No action needed.
GlobalProtect App on Chrome OS		No action needed.

Workarounds and Mitigations

No workaround or mitigation is available.

Acknowledgments

Palo Alto Networks thanks Rutger Flohil for discovering and reporting this issue.

CPEs

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.2:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.1:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.0:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.7:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.6:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.4:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.3:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.2:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.1:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.0:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:macOS:*:*

Show MoreShow Less

CPE Applicability

cpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:*:*:* is vulnerable from (including)6.3.0 and up to (excluding)6.3.3
ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:*:*:* is vulnerable from (including)6.2.8 and up to (excluding)6.2.8-h2_[6.2.8-c243]
ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:*:*:* is vulnerable from (including)6.1.0
ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:*:*:* is vulnerable from (including)6.0.0

Timeline

2025-07-16 Updated CVSS Score

2025-06-23 Updated placeholder 6.2.8 version with the final version number, 6.2.8-c243.

2025-06-11 Initial Publication