CVE-2025-4232 GlobalProtect: Authenticated Code Injection Through Wildcard on macOS
Description
An improper neutralization of wildcards vulnerability in the log collection feature of Palo Alto Networks GlobalProtect™ app on macOS allows a non administrative user to escalate their privileges to root.
Product Status
Versions | Affected | Unaffected |
---|---|---|
GlobalProtect App | None on Windows, Linux, Android, iOS, Chrome OS | All on Windows, Linux, Android, iOS, Chrome OS |
GlobalProtect App 6.3 | < 6.3.3 on macOS | >= 6.3.3 on macOS |
GlobalProtect App 6.2 | < 6.2.8-h2 [6.2.8-c243] on macOS | >= 6.2.8-h2 [6.2.8-c243] on macOS |
GlobalProtect App 6.1 | All on macOS | None on macOS |
GlobalProtect App 6.0 | All on macOS | None on macOS |
Required Configuration for Exposure
No special configuration is required to be affected by this issue.
Severity: HIGH, Suggested Urgency: MODERATE
CVSS-BT: 7.1 / CVSS-B: 8.5 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/AU:N/R:U/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-155: Improper Neutralization of Wildcards or Matching Symbols
Solution
Version | Minor Version | Suggested Solution |
---|---|---|
GlobalProtect App 6.3 on macOS |
6.3.0 through 6.3.2 | Upgrade to 6.3.3 or later. |
GlobalProtect App 6.2 on macOS | 6.2.0 through 6.2.8-223 | Upgrade to 6.2.8-c243 or later. |
GlobalProtect App 6.1 on macOS | Upgrade to 6.2.8-c243or 6.3.3 or later. | |
GlobalProtect App 6.0 on macOS | Upgrade to 6.2.8-c243 or 6.3.3 or later. | |
GlobalProtect App on Windows | No action needed. | |
GlobalProtect App on Linux | No action needed. | |
GlobalProtect App on Android | No action needed. | |
GlobalProtect App on iOS | No action needed. | |
GlobalProtect App on Chrome OS | No action needed. |
Workarounds and Mitigations
No workaround or mitigation is available.
Acknowledgments
CPEs
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.2:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.1:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.0:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.7:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.6:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.4:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.3:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.2:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.1:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.0:*:*:*:*:macOS:*:*