[Palo Alto Networks Security Advisories] CVE-2025-0141 GlobalProtect App: Privilege Escalation (PE) Vulnerability
Palo Alto Networks Security Advisories /CVE-2025-0141
CVE-2025-0141 GlobalProtect App: Privilege Escalation (PE) Vulnerability
Description
An incorrect privilege assignment vulnerability in the Palo Alto Networks GlobalProtect™ App on macOS devices enables a locally authenticated non administrative user to escalate their privileges to root on macOS and Linux or NT\AUTHORITY SYSTEM on Windows.
The GlobalProtect app on iOS, Android, Chrome OS and GlobalProtect UWP app are not affected.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| GlobalProtect App | None on Android None on Chrome OS None on iOS | All on Android All on Chrome OS All on iOS |
| GlobalProtect App 6.3 | < 6.3.3-h1 (6.3.3-c650) on macOS < 6.3.3-h1 (6.3.3-c650) on Windows | >= 6.3.3-h1 (6.3.3-c650) on macOS >= 6.3.3-h1 (6.3.3-c650) on Windows |
| GlobalProtect App 6.2 | < 6.2.8-h2 (6.2.8-c243) on macOS < 6.2.8-h2 (6.2.8-c243) on Windows < 6.2.8 on Linux | >= 6.2.8-h2 (6.2.8-c243) on macOS >= 6.2.8-h2 (6.2.8-c243) on Windows >= 6.2.8 on Linux (ETA: July 11 2025) |
| GlobalProtect App 6.1 | All on macOS All on Windows All on Linux | None on macOS None on Windows None on Linux |
| GlobalProtect App 6.0 | All on macOS All on Windows All on Linux | None on macOS None on Windows None on Linux |
| GlobalProtect UWP App | None | All |
Required Configuration for Exposure
No special configuration is required to be vulnerable to this issue.
Severity:MEDIUM, Suggested Urgency:MODERATE
CVSS-BT:5.7 /CVSS-B:8.4 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:U/AU:N/R:U/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CAPEC-233 Privilege Escalation
Solution
| Version | Minor Version | Suggested Solution |
|---|---|---|
| GlobalProtect App 6.3 on macOS | 6.3.0 through 6.3.3 | Upgrade to 6.3.3-h1 (6.3.3-c650) or later. |
| GlobalProtect App 6.3 on Windows | 6.3.0 through 6.3.3 | Upgrade to 6.3.3-h1 (6.3.3-c650) or later. |
| GlobalProtect App 6.2 on macOS | 6.2.0 through 6.2.8 | Upgrade to 6.2.8-h2 (6.2.8-c243) or later. |
| GlobalProtect App 6.2 on Windows | 6.2.0 through 6.2.8 | Upgrade to 6.2.8-h2 (6.2.8-c243) or later. |
| GlobalProtect App 6.1 on macOS | Upgrade to 6.2.8-h2 (6.2.8-c243) or 6.3.3-h1 (6.3.3-c650) or later. | |
| GlobalProtect App 6.1 on Windows | Upgrade to 6.2.8-h2 (6.2.8-c243) or 6.3.3-h1 (6.3.3-c650) or later. | |
| GlobalProtect App 6.0 on macOS | Upgrade to 6.2.8-h2 (6.2.8-c243) or 6.3.3-h1 (6.3.3-c650) or later. | |
| GlobalProtect App 6.0 on Windows | Upgrade to 6.2.8-h2 (6.2.8-c243) or 6.3.3-h1 (6.3.3-c650) or later. | |
| GlobalProtect App 6.2 on Linux | 6.2.0 through 6.2.7 | Upgrade to 6.2.8 or later. |
| GlobalProtect App 6.1 on Linux | Upgrade to 6.2.8 or later. | |
| GlobalProtect App 6.0 on Linux | Upgrade to 6.2.8 or later. | |
| GlobalProtect App on Android, Chrome OS, iOS | No action needed. | |
| GlobalProtect UWP App | No action needed. |
Workarounds and Mitigations
No workaround or mitigation is available.
Acknowledgments
CPEs
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:Windows:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:Windows:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:Windows:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:Windows:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:Windows:*:*
CPE Applicability
- cpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:macOS:*:* is vulnerable from (including)6.3.3 and up to (excluding)6.3.3-h1_(6.3.3-c650)
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Windows:*:* is vulnerable from (including)6.3.3 and up to (excluding)6.3.3-h1_(6.3.3-c650)
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:macOS:*:* is vulnerable from (including)6.2.8 and up to (excluding)6.2.8-h2_(6.2.8-c243)
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Windows:*:* is vulnerable from (including)6.2.8 and up to (excluding)6.2.8-h2_(6.2.8-c243)
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:macOS:*:* is vulnerable from (including)6.1.0
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Windows:*:* is vulnerable from (including)6.1.0
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:macOS:*:* is vulnerable from (including)6.0.0
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Windows:*:* is vulnerable from (including)6.0.0
- or
- cpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Linux:*:* is vulnerable from (including)6.2.0 and up to (excluding)6.2.8
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Linux:*:* is vulnerable from (including)6.1.0
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Linux:*:* is vulnerable from (including)6.0.0
Timeline
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
