Palo Alto Networks has disclosed a critical security flaw in its GlobalProtect VPN application, used extensively by enterprises worldwide, that could allow locally authenticated users to escalate their privileges and gain administrative control over affected systems.
The vulnerability affects GlobalProtect versions running on Windows, macOS, and Linux platforms and enables non-administrative users with local access to escalate privileges to root (macOS/Linux) or NT AUTHORITY\SYSTEM(Windows). This escalation could potentially allow attackers to install malicious software, access sensitive system configurations, or establish persistent access.
Patch Urgently Required: No Workaround Available
Classified as CWE-426 (Untrusted Search Path), the vulnerability has been assigned a CVSS base score of 8.4, reflecting its high potential impact. Palo Alto Networks confirmed that no workarounds or mitigations are currently available. Immediate patching is the only solution.
Impacted Versions:
GlobalProtect 6.3 (macOS/Windows): Upgrade to 6.3.3-h1 (6.3.3-c650) or later
GlobalProtect 6.2 (macOS/Windows): Upgrade to 6.2.8-h2 (6.2.8-c243) or later
GlobalProtect 6.2 (Linux): Upgrade to 6.2.8 or later (fix expected by July 11, 2025)
GlobalProtect 6.1 & 6.0 (All platforms): Immediate upgrade required to the latest patched version
Not Affected: iOS, Android, Chrome OS, and UWP versions of GlobalProtect.
Palo Alto Networks stated that no special configuration is needed for systems to be vulnerable, indicating that default installations are at risk. No known active exploitation has been reported so far.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
Responsible Disclosure and Industry Response
Security researchers Alex Bourla and Graham Brereton discovered the vulnerability and responsibly disclosed it to Palo Alto Networks. The company has publicly acknowledged their contribution.
Given the widespread use of GlobalProtect in corporate environments, security professionals are urged to act swiftly. The potential for internal actors or malware exploiting this vulnerability makes immediate software updates critical to enterprise security.
