CVE-2025-4227

Summary

An improper access control vulnerability in the Endpoint Traffic Policy Enforcement https://docs.paloaltonetworks.com/globalprotect/6-0/globalprotect-app-new-features/new-features-released-in-gp-app/endpoint-traffic-policy-enforcement feature of the Palo Alto Networks GlobalProtect™ app allows certain packets to remain unencrypted instead of being properly secured within the tunnel.

An attacker with physical access to the network can inject rogue devices to intercept these packets. Under normal operating conditions, the GlobalProtect app automatically recovers from this interception within one minute.

Affected Software

VendorProductVersion RangeStatus
Palo Alto NetworksGlobalProtect App6.3.0 < 6.3.2-566affected
Palo Alto NetworksGlobalProtect App6.2.0 < 6.2.8-h2affected
Palo Alto NetworksGlobalProtect App6.1.0affected
Palo Alto NetworksGlobalProtect App6.0.0affected
Palo Alto NetworksGlobalProtect AppAll < 11.2.7unaffected

Weaknesses

  • CWE-319: CWE-319 Cleartext Transmission of Sensitive Information

Workarounds

Available Mitigation when solution interferes with Autonomous Digital Experience Management (ADEM) * ADEM https://docs.paloaltonetworks.com/autonomous-dem/administration/autonomous-dem functionality depends on ICMP probes that must be sent outside of the secure tunnel. When "Allow Gateway Access from GlobalProtect Only" is set to "Yes" and "Endpoint Traffic Policy Enforcement" is configured as "All Traffic," these ADEM https://docs.paloaltonetworks.com/autonomous-dem/administration/autonomous-dem probes will fail because they are forcefully transmitted through the encrypted tunnel rather than via their required direct path.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References