[Palo Alto Networks Security Advisories] CVE-2025-4227 GlobalProtect App: Interception in Endpoint Traffic PolicyEnforcement
Palo Alto Networks Security Advisories /CVE-2025-4227
CVE-2025-4227 GlobalProtect App: Interception in Endpoint Traffic Policy Enforcement
Description
An improper access control vulnerability in the Endpoint Traffic Policy Enforcement feature of the Palo Alto Networks GlobalProtect™ app allows certain packets to remain unencrypted instead of being properly secured within the tunnel.
An attacker with physical access to the network can inject rogue devices to intercept these packets. Under normal operating conditions, the GlobalProtect app automatically recovers from this interception within one minute.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| GlobalProtect App | None on Linux, Android, iOS, Chrome OS, UWP ¹ | All on Linux, Android, iOS, Chrome OS, UWP ¹ |
| GlobalProtect App 6.3 | < 6.3.2-566 ² on Windows, macOS, < 6.3.3-HF (ETA: 12 June, 2025) on Windows, macOS | >= 6.3.2-566 ² on Windows, macOS, >= 6.3.3-HF (ETA: 12 June, 2025) on Windows, macOS |
| GlobalProtect App 6.2 | < 6.2.8-HF2 (ETA: June, 2025) on Windows, macOS | >= 6.2.8-HF2 (ETA: June, 2025) on Windows, macOS |
| GlobalProtect App 6.1 | All on Windows, macOS | None on Windows, macOS |
| GlobalProtect App 6.0 | All on Windows, macOS | None on Windows, macOS |
¹ Endpoint Traffic Policy Enforcement is exclusively available on GlobalProtect App for Windows and macOS platforms. GlobalProtect App versions on other operating systems are unaffected by this vulnerability because they don’t include this feature.
² GlobalProtect App 6.3.2-566 is a limited availability release. To obtain a copy, please reach out to Palo Alto Networks Support.
Required Configuration for Exposure
This issue affects Windows and macOS endpoints with “Endpoint Traffic Policy Enforcement” enabled. To verify if you have Endpoint Traffic Policy Enforcement enabled:
- Network > GlobalProtect > Portals > (Open Portal configuration) > Agent tab > (Open Agent configuration) > App tab > App Configurations > Endpoint Traffic Policy Enforcement > (Option not set to: “No”)
Severity:LOW, Suggested Urgency:REDUCED
CVSS-BT:0.3 /CVSS-B:2.0 (CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:L/U:Green)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-319 Cleartext Transmission of Sensitive Information
Solution
1. Upgrade the GlobalProtect App to one of the unaffected versions:
| Version | Minor Version | Suggested Solution |
|---|---|---|
| GlobalProtect App 6.3 on Windows, macOS | 6.3.3 6.3.0 through 6.3.2 | No solution available. A hotfix is planned. (ETA: 12 June 2025). Upgrade to 6.3.2-566 or later. |
| GlobalProtect App 6.2 on Windows, macOS | 6.2.0 through 6.2.8 | Upgrade to 6.3.2-566 or later. A hotfix is planned. (ETA: June 2025). |
| GlobalProtect App 6.1 on Windows, macOS | All | Upgrade to 6.3.2-566 or later. |
| GlobalProtect App 6.0 on Windows, macOS | All | Upgrade to 6.3.2-566 or later. |
| GlobalProtect App on Linux, Android, iOS, Chrome OS, UWP | All | Not applicable. |
2. Ensure that “Endpoint Traffic Policy Enforcement” is set to “All Traffic” under the GlobalProtect App Configurations.
- Network > GlobalProtect > Portals > (Open Portal configuration) > Agent tab > (Open Agent configuration) > App tab > App Configurations > Endpoint Traffic Policy Enforcement (Select: All Traffic)
- Network > GlobalProtect > Portals > (Open Portal configuration) > Agent tab > (Open Agent configuration) > App tab > App Configurations > Allow Gateway Access from GlobalProtect Only (Select: Yes)
Workarounds and Mitigations
Available Mitigation when solution interferes with Autonomous Digital Experience Management (ADEM)
- ADEM functionality depends on ICMP probes that must be sent outside of the secure tunnel. When “Allow Gateway Access from GlobalProtect Only” is set to “Yes” and “Endpoint Traffic Policy Enforcement” is configured as “All Traffic,” these ADEM probes will fail because they are forcefully transmitted through the encrypted tunnel rather than via their required direct path.
- This issue can be addressed by changing “Endpoint Traffic Policy Enforcement” to “All TCP/UDP Traffic.” This adjustment prevents interception of TCP and UDP traffic while allowing ADEM probes to function properly. However, this configuration still permits ICMP, and other non-TCP/UDP traffic to be intercepted.
Acknowledgments
CPEs
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:Windows:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:Windows:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:Windows:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:Windows:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:Windows:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:macOS:*:*
Timeline
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
