[Palo Alto Networks Security Advisories] CVE-2025-0140 GlobalProtect App: Non Admin User Can Disable the GlobalProtectApp
Palo Alto Networks Security Advisories /CVE-2025-0140
CVE-2025-0140 GlobalProtect App: Non Admin User Can Disable the GlobalProtect App
Description
An incorrect privilege assignment vulnerability in the Palo Alto Networks GlobalProtect™ App on macOS and Linux devices enables a locally authenticated non administrative user to disable the app even if the GlobalProtect app configuration would not normally permit them to do so.
The GlobalProtect app on Windows, iOS, Android, Chrome OS and GlobalProtect UWP app are not affected.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| GlobalProtect App | None on Android None on Chrome OS None on iOS None on Windows | All on Android All on Chrome OS All on iOS All on Windows |
| GlobalProtect App 6.3 | < 6.3.3-h1 (6.3.3-c650) on macOS | >= 6.3.3-h1 (6.3.3-c650) on macOS |
| GlobalProtect App 6.2 | < 6.2.8-h2 (6.2.8-c243) on macOS < 6.2.8 on Linux | >= 6.2.8-h2 (6.2.8-c243) on macOS >= 6.2.8 on Linux (ETA: July 11 2025) |
| GlobalProtect App 6.1 | All on macOS All on Linux | None on macOS None on Linux |
| GlobalProtect App 6.0 | All on macOS All on Linux | None on macOS None on Linux |
| GlobalProtect UWP App | None | All |
Required Configuration for Exposure
No special configuration is required to be vulnerable to this issue.
Severity:MEDIUM, Suggested Urgency:MODERATE
CVSS-BT:4.3 /CVSS-B:6.8 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-266: Incorrect Privilege Assignment
CAPEC-578 Disable Security Software
Solution
| Version | Minor Version | Suggested Solution |
|---|---|---|
| GlobalProtect App 6.3 on macOS | 6.3.0 through 6.3.3 | Upgrade to 6.3.3-h1 (6.3.3-c650) or later. |
| GlobalProtect App 6.2 on macOS | 6.2.0 through 6.2.8 | Upgrade to 6.2.8-h2 (6.2.8-c243) or later. |
| GlobalProtect App 6.1 on macOS | Upgrade to 6.2.8-h2 (6.2.8-c243) or 6.3.3-h1 (6.3.3-c650) or later. | |
| GlobalProtect App 6.0 on macOS | Upgrade to 6.2.8-h2 (6.2.8-c243) or 6.3.3-h1 (6.3.3-c650) or later. | |
| GlobalProtect App 6.2 on Linux | 6.2.0 through 6.2.8 | Upgrade to 6.2.8 or later. |
| GlobalProtect App 6.1 on Linux | Upgrade to 6.2.8 or later. | |
| GlobalProtect App 6.0 on Linux | Upgrade to 6.2.8 or later. | |
| GlobalProtect App on Android, iOS, Windows | No action needed. | |
| GlobalProtect UWP App All | No action needed. |
Workarounds and Mitigations
No workaround or mitigation is available.
Acknowledgments
CPEs
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:macOS:*:*
CPE Applicability
- cpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:macOS:*:* is vulnerable from (including)6.3.3 and up to (excluding)6.3.3-h1_(6.3.3-c650)
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:macOS:*:* is vulnerable from (including)6.2.8 and up to (excluding)6.2.8-h2_(6.2.8-c243)
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:macOS:*:* is vulnerable from (including)6.1.0
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:macOS:*:* is vulnerable from (including)6.0.0
- or
- cpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Linux:*:* is vulnerable from (including)6.2.0 and up to (excluding)6.2.8
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Linux:*:* is vulnerable from (including)6.1.0
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Linux:*:* is vulnerable from (including)6.0.0
Timeline
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
