Palo Alto Networks Security Advisories / CVE-2024-9473

CVE-2024-9473 GlobalProtect App: Local Privilege Escalation (PE) Vulnerability

Urgency MODERATE

047910
Severity 2.4 · LOW
Exploit Maturity POC
Response Effort MODERATE
Recovery USER
Value Density CONCENTRATED
Attack Vector LOCAL
Attack Complexity LOW
Attack Requirements PRESENT
Automatable NO
User Interaction NONE
Product Confidentiality NONE
Product Integrity LOW
Product Availability NONE
Privileges Required LOW
Subsequent Confidentiality HIGH
Subsequent Integrity HIGH
Subsequent Availability HIGH

Description

A privilege escalation vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY/SYSTEM through the use of the repair functionality offered by the .msi file used to install GlobalProtect.

Product Status

VersionsAffectedUnaffected
GlobalProtect AppNone on macOS, Linux, Chrome OS, Android, iOSAll on macOS, Linux, Chrome OS, Android, iOS
GlobalProtect App 6.3< 6.3.1-c383 on Windows>= 6.3.1-c383 on Windows
GlobalProtect App 6.2< 6.2.5 on Windows>= 6.2.5 on Windows
GlobalProtect App 6.1< 6.1.4-c720 on Windows>= 6.1.4-c720 on Windows
GlobalProtect App 6.0< 6.0.10-c823 on Windows>= 6.0.10-c823 on Windows
GlobalProtect App 5.1All on WindowsNone on Windows
GlobalProtect UWP AppNoneAll

Required Configuration for Exposure

No special configuration is required to be affected by this issue.

Severity: LOW, Suggested Urgency: MODERATE

CVSS-BT: 2.4 / CVSS-B: 5.2 (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/E:P/AU:N/R:U/V:C/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue. However, a proof of concept for this issue is publicly available.

Weakness Type and Impact

CWE-250 Execution with Unnecessary Privileges

CAPEC-233 Privilege Escalation

Solution

This issue is fixed in GlobalProtect app 6.0.10-c823, GlobalProtect app 6.1.4-c720, GlobalProtect app 6.2.5, GlobalProtect app 6.3.1-c383, and will be fixed in the remaining supported versions of GlobalProtect app listed in the Product Status section. Updates will be published to this advisory as they become available.

Customers who want to upgrade should reach out to customer support at https://support.paloaltonetworks.com.

Workarounds and Mitigations

Update the Windows registry on endpoints with an affected version of GlobalProtect to disable all MSI installations (not just GlobalProtect installations). This change is system-wide, so it will affect all users of the system including administrators. The following command will update the registry on an endpoint to disable the repair functionality of any MSI file. It will also prevent using MSI files to install, re-install, or uninstall software. This command must be run with administrative privileges.

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" /v DisableMSI /t REG_DWORD /d 2 /f

Be aware that this will fully prevent use of all MSI files, thereby blocking common IT operations such as software deployments typically done by endpoint management solutions that use MSI files to perform the installations. Use caution before updating this value in the registry. After setting DisableMSI to 2, this value will need to be either deleted or changed to another value in order to use any MSI files. For more information, please see https://learn.microsoft.com/en-us/windows/win32/msi/disablemsi.

Acknowledgments

Palo Alto Networks thanks Michael Baer of SEC Consult Vulnerability Lab and Marc Barrantes of KPMG Spain for discovering and reporting this issue.

CPE Applicability

Timeline

Corrected GlobalProtect UWP App to not affected. Added CVSS-BT score
Added fix version for GlobalProtect app 6.1 to the Product Status table
Added fix version for GlobalProtect app 6.0 to the Product Status table
Added fix version for GlobalProtect app 6.3 to the Product Status table
Added a workaround section
Initial publication
© 2025 Palo Alto Networks, Inc. All rights reserved.