[Palo Alto Networks Security Advisories] CVE-2025-2183 GlobalProtect App: Improper Certificate Validation Leads toPrivilege Escalation

August 13, 2025

Palo Alto Networks Security Advisories /CVE-2025-2183

CVE-2025-2183 GlobalProtect App: Improper Certificate Validation Leads to Privilege Escalation

UrgencyMODERATE

047910
Severity4.5 ·MEDIUM
Exploit MaturityUNREPORTED
Response EffortN/A
RecoveryUSER
Value DensityDIFFUSE
Attack VectorADJACENT
Attack ComplexityLOW
Attack RequirementsPRESENT
AutomatableNO
User InteractionPASSIVE
Product ConfidentialityHIGH
Product IntegrityHIGH
Product AvailabilityNONE
Privileges RequiredNONE
Subsequent ConfidentialityNONE
Subsequent IntegrityNONE
Subsequent AvailabilityNONE
CVEJSONCSAF
Published2025-08-13
Updated2025-08-13
ReferenceGPC-22355
Discoveredinternally

Description

An insufficient certificate validation issue in the Palo Alto Networks GlobalProtect™ app enables attackers to connect the GlobalProtect app to arbitrary servers. This can enable a local non-administrative operating system user or an attacker on the same subnet to install malicious root certificates on the endpoint and subsequently install malicious software signed by the malicious root certificates on that endpoint.

Product Status

VersionsAffectedUnaffected
Global Protect UWP AppNone
All
GlobalProtect AppNone on Android
None on iOS
None on macOS
All on Android
All on iOS
All on macOS
GlobalProtect App 6.3< 6.3.3-h2 (6.3.3-c676) on Windows
< 6.3.3 on Linux
>= 6.3.3-h2 (6.3.3-c676) on Windows*
>= 6.3.3 on Linux (ETA: 9/1)*
GlobalProtect App 6.2< 6.2.8-h3 (6.2.8-c263) on Windows
All on Linux
>= 6.2.8-h3 (6.2.8-c263) on Windows*
None on Linux
GlobalProtect App 6.1All on Windows
All on Linux
None on Windows
None on Linux
GlobalProtect App 6.0All on Windows
All on Linux
None on Windows*
None on Linux

* In addition to the software updates listed above, additional steps are required to protect against this vulnerability. See the Solution section for full details.

Required Configuration for Exposure

GlobalProtect installations are impacted if either of the following conditions is true:
1. The portal pushes certificates to the client, which are then used to validate the Portal or Gateway’s certificate. These certificates are stored in the tca.cer file. If the certificates listed in “Trusted Root CA” include the entire certificate chain for the Portal or Gateway certificate, the configuration will be vulnerable.

2. GlobalProtect app is deployed with the “FULLCHAINCERTVERIFY” option set to yes. To learn more about this configuration, see the Solution section of this advisory.

Severity:MEDIUM, Suggested Urgency:MODERATE

CVSS-BT:4.5 /CVSS-B:7.4 (CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type and Impact

CWE-295 Improper Certificate Validation

CAPEC-233 Privilege Escalation

Solution

Version
Minor Version
Suggested Solution
GlobalProtect App 6.3 on Windows
 6.3.0 through 6.3.2 Upgrade to 6.3.2-h9 or 6.3.3-h2 or later*.
GlobalProtect App 6.2 on Windows
 6.2.0 through 6.2.8 Upgrade to 6.2.8-h3 or later*.
GlobalProtect App 6.1 on WindowsUpgrade to 6.2.8-h3 or 6.3.3-h2 or later*.
GlobalProtect App 6.0 on Windows
Upgrade to 6.2.8-h3 or 6.3.3-h2 or later*.
GlobalProtect App 6.3 on Linux
 6.3.0 through 6.3.2 Upgrade to 6.3.3 or later*.
GlobalProtect App 6.2 on LinuxUpgrade to 6.3.3 or later*.
GlobalProtect App 6.1 on LinuxUpgrade to 6.3.3 or later*.
GlobalProtect App 6.0 on LinuxUpgrade to 6.3.3 or later*.
GlobalProtect App on Android, iOS, macOS
No action needed.
GlobalProtect UWP App No action needed.

* In addition to the software updates listed above, additional steps are required to protect against this vulnerability as described below:

Solution for new and existing GlobalProtect app installation on Windows / Linux
  1. Ensure the portal/gateway certificate can be validated using the operating system’s certificate store (e.g., Local Machine Certificate Store or Current User Certificate Store in Windows; for Linux, refer to this documentation).
  2. Remove any certificates associated with portal/gateway validation from the “Trusted Root CA” list on the Portal. 
  3. Enable portal setting: “Enable Strict Certificate Check” (set FULLCHAINCERTVERIFY to yes).

Workarounds and Mitigations

No known workarounds exist for this issue.

Acknowledgments

Palo Alto Networks thanks Nikola Markovic of Palo Alto Networks and Maxime Escorbiac of Michelin CERT for discovering and reporting this issue.

CPEs

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.2:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.1:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.0:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.8-c243:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.8:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.7:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.6:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.4:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.3:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.2:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.1:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.0:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.9:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.2:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.1:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.0:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.8-c243:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.8:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.7:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.6:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.4:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.3:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.2:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.1:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.0:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.9:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:Linux:*:*

CPE Applicability

    • cpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Windows:*:* is vulnerable from (including)6.3.3 and up to (excluding)6.3.3-h2_(6.3.3-c676)
    • ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Windows:*:* is vulnerable from (including)6.2.8 and up to (excluding)6.2.8-h3_(6.2.8-c263)
    • ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Windows:*:* is vulnerable from (including)6.1.0
    • ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Windows:*:* is vulnerable from (including)6.0.0
  • or
    • cpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Linux:*:* is vulnerable from (including)6.3.0 and up to (excluding)6.3.3
    • ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Linux:*:* is vulnerable from (including)6.2.0
    • ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Linux:*:* is vulnerable from (including)6.1.0
    • ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Linux:*:* is vulnerable from (including)6.0.0

Timeline

Initial Publication

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

To keep up to date follow us on the below channels.

Tags: , ,

You may have missed

Palo_Alto_Networks_Logo

[Palo Alto Networks Security Advisories] CVE-2025-2183 GlobalProtect App: Improper Certificate Validation Leads toPrivilege Escalation

August 13, 2025
Palo_Alto_Networks_Logo

[Palo Alto Networks Security Advisories] CVE-2025-2181 Checkov by Prisma Cloud: Cleartext Exposure of Credentials

August 13, 2025
Palo_Alto_Networks_Logo

[Palo Alto Networks Security Advisories] CVE-2025-2180 Checkov by Prisma Cloud: Unsafe Deserialization of Terraform FilesAllows Code Execution

August 13, 2025
Palo_Alto_Networks_Logo

[Palo Alto Networks Security Advisories] CVE-2025-2182 PAN-OS: Firewall Clusters using the MACsec Protocol Expose theConnectivity Association Key (CAK)

August 13, 2025
Palo_Alto_Networks_Logo

[Palo Alto Networks Security Advisories] CVE-2025-2184 Cortex XDR Broker VM: Secrets Shared Across Multiple Broker VMImages

August 13, 2025