A vulnerability exists in NetConnect (all version) and GlobalPortect (1.1.6 and earlier) whereby the agent does not verify the certificate presented by the portal server, enabling a possible Man-in-the-middle attack.
This vulnerability can result in an agent connecting to an attacker-controlled server allowing the attacker to receive the username and password of the affected user.
This issue affects NetConnect (all versions); GlobalProtect (1.1.6 and earlier).
|GlobalProtect 1.1||<= 1.1.6||>= 1.1.7|
CVSSv3.1 Base Score: 6.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N)
GlobalProtect 1.1.7 and later; NetConnect is discontinued.
No mitigations available.