CVE-2025-4227
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:D/RE:L/U:Green
Summary
An improper access control vulnerability in the Endpoint Traffic Policy Enforcement https://docs.paloaltonetworks.com/globalprotect/6-0/globalprotect-app-new-features/new-features-released-in-gp-app/endpoint-traffic-policy-enforcement feature of the Palo Alto Networks GlobalProtect™ app allows certain packets to remain unencrypted instead of being properly secured within the tunnel.
An attacker with physical access to the network can inject rogue devices to intercept these packets. Under normal operating conditions, the GlobalProtect app automatically recovers from this interception within one minute.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Palo Alto Networks | GlobalProtect App | 6.3.0 < 6.3.2-566 | affected |
| Palo Alto Networks | GlobalProtect App | 6.2.0 < 6.2.8-h2 | affected |
| Palo Alto Networks | GlobalProtect App | 6.1.0 | affected |
| Palo Alto Networks | GlobalProtect App | 6.0.0 | affected |
| Palo Alto Networks | GlobalProtect App | All < 11.2.7 | unaffected |
Weaknesses
- CWE-319: CWE-319 Cleartext Transmission of Sensitive Information
Workarounds
Available Mitigation when solution interferes with Autonomous Digital Experience Management (ADEM) * ADEM https://docs.paloaltonetworks.com/autonomous-dem/administration/autonomous-dem functionality depends on ICMP probes that must be sent outside of the secure tunnel. When "Allow Gateway Access from GlobalProtect Only" is set to "Yes" and "Endpoint Traffic Policy Enforcement" is configured as "All Traffic," these ADEM https://docs.paloaltonetworks.com/autonomous-dem/administration/autonomous-dem probes will fail because they are forcefully transmitted through the encrypted tunnel rather than via their required direct path.
- This issue can be addressed by changing "Endpoint Traffic Policy Enforcement" to "All TCP/UDP Traffic." This adjustment prevents interception of TCP and UDP traffic while allowing ADEM https://docs.paloaltonetworks.com/autonomous-dem/administration/autonomous-dem probes to function properly. However, this configuration still permits ICMP, and other non-TCP/UDP traffic to be intercepted.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.