[Palo Alto Networks Security Advisories] CVE-2024-9473 GlobalProtect App: Local Privilege Escalation (PE) Vulnerability

Palo Alto Networks Security Advisories /CVE-2024-9473

CVE-2024-9473 GlobalProtect App: Local Privilege Escalation (PE) Vulnerability

UrgencyMODERATE

Severity2.4 ·LOW

Exploit MaturityPOC

Response EffortMODERATE

RecoveryUSER

Value DensityCONCENTRATED

Attack ComplexityLOW

Attack RequirementsPRESENT

AutomatableNO

User InteractionNONE

Product ConfidentialityNONE

Product IntegrityLOW

Product AvailabilityNONE

Privileges RequiredLOW

Subsequent ConfidentialityHIGH

Subsequent IntegrityHIGH

Subsequent AvailabilityHIGH

CVE JSON CSAF

Published2024-10-09

Updated2025-08-11

ReferenceGPC-19493,GPC-21211

Discoveredexternally

Description

A privilege escalation vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY/SYSTEM through the use of the repair functionality offered by the .msi file used to install GlobalProtect.

Product Status

Versions	Affected	Unaffected
GlobalProtect App	None on macOS, Linux, Chrome OS, Android, iOS	All on macOS, Linux, Chrome OS, Android, iOS
GlobalProtect App 6.3	< 6.3.1-c383 on Windows	>= 6.3.1-c383 on Windows
GlobalProtect App 6.2	< 6.2.5 on Windows	>= 6.2.5 on Windows
GlobalProtect App 6.1	< 6.1.4-c720 on Windows	>= 6.1.4-c720 on Windows
GlobalProtect App 6.0	< 6.0.10-c823 on Windows	>= 6.0.10-c823 on Windows
GlobalProtect App 5.1	All on Windows	None on Windows
GlobalProtect UWP App	None	All

Required Configuration for Exposure

No special configuration is required to be affected by this issue.

Severity:LOW, Suggested Urgency:MODERATE

CVSS-BT:2.4 /CVSS-B:5.2 (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:P/AU:N/R:U/V:C/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue. However, a proof of concept for this issue is publicly available.

Weakness Type and Impact

CWE-250 Execution with Unnecessary Privileges

CAPEC-233 Privilege Escalation

Solution

This issue is fixed in GlobalProtect app 6.0.10-c823, GlobalProtect app 6.1.4-c720, GlobalProtect app 6.2.5, GlobalProtect app 6.3.1-c383, and will be fixed in the remaining supported versions of GlobalProtect app listed in the Product Status section. Updates will be published to this advisory as they become available.

Customers who want to upgrade should reach out to customer support at https://support.paloaltonetworks.com.

Workarounds and Mitigations

Update the Windows registry on endpoints with an affected version of GlobalProtect to disable all MSI installations (not just GlobalProtect installations). This change is system-wide, so it will affect all users of the system including administrators. The following command will update the registry on an endpoint to disable the repair functionality of any MSI file. It will also prevent using MSI files to install, re-install, or uninstall software. This command must be run with administrative privileges.

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" /v DisableMSI /t REG_DWORD /d 2 /f

Be aware that this will fully prevent use of all MSI files, thereby blocking common IT operations such as software deployments typically done by endpoint management solutions that use MSI files to perform the installations. Use caution before updating this value in the registry. After setting DisableMSI to 2, this value will need to be either deleted or changed to another value in order to use any MSI files. For more information, please see https://learn.microsoft.com/en-us/windows/win32/msi/disablemsi.

Acknowledgments

Palo Alto Networks thanks Michael Baer of SEC Consult Vulnerability Lab and Marc Barrantes of KPMG Spain for discovering and reporting this issue.

CPE Applicability

cpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Windows:*:* is vulnerable from (including)6.0.10 and up to (excluding)6.0.10-c823
ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Windows:*:* is vulnerable from (including)6.1.4 and up to (excluding)6.1.4-c720
ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Windows:*:* is vulnerable from (including)6.2.0 and up to (excluding)6.2.5
ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Windows:*:* is vulnerable from (including)6.3.1 and up to (excluding)6.3.1-c383
ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Windows:*:* is vulnerable from (including)5.1.0

Timeline

2025-08-11Corrected GlobalProtect UWP App to not affected. Added CVSS-BT score

2024-10-24Added fix version for GlobalProtect app 6.1 to the Product Status table

2024-10-23Added fix version for GlobalProtect app 6.0 to the Product Status table

2024-10-15Added fix version for GlobalProtect app 6.3 to the Product Status table

2024-10-14Added a workaround section

2024-10-09Initial publication

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: CVE, OSINT, threatintel

[Palo Alto Networks Security Advisories] CVE-2024-9473 GlobalProtect App: Local Privilege Escalation (PE) Vulnerability