CVE-2025-0118

Summary

A vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a remote attacker to run ActiveX controls within the context of an authenticated Windows user. This enables the attacker to run commands as if they are a legitimate authenticated user. However, to exploit this vulnerability, the authenticated user must navigate to a malicious page during the GlobalProtect SAML login process on a Windows device.

This issue does not apply to the GlobalProtect app on other (non-Windows) platforms.

Affected Software

VendorProductVersion RangeStatus
Palo Alto NetworksGlobalProtect App6.3.0 < 6.3.3unaffected
Palo Alto NetworksGlobalProtect App6.2.0 < 6.2.5affected
Palo Alto NetworksGlobalProtect App6.1.0 < 6.1.6affected
Palo Alto NetworksGlobalProtect App6.0.0 < 6.0.11affected
Palo Alto NetworksGlobalProtect AppAll < 6.3.3unaffected
Palo Alto NetworksGlobalProtect UWP AppAllunaffected

Weaknesses

  • CWE-618: CWE-618 Exposed Unsafe ActiveX Method

Workarounds

You can mitigate this issue by using a different form of authentication for the GlobalProtect portal such as Client Certificate Authentication, RADIUS, TACACS+, LDAP, or Kerberos. You can find information about configuring authentication for the GlobalProtect portal in this documentation https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-web-interface-help/globalprotect/network-globalprotect-portals/globalprotect-portals-authentication-configuration-tab .

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References