CVE-2025-0118 GlobalProtect App: Execution of Unsafe ActiveX Control Vulnerability
Description
A vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a remote attacker to run ActiveX controls within the context of an authenticated Windows user. This enables the attacker to run commands as if they are a legitimate authenticated user. However, to exploit this vulnerability, the authenticated user must navigate to a malicious page during the GlobalProtect SAML login process on a Windows device.
This issue does not apply to the GlobalProtect app on other (non-Windows) platforms.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| GlobalProtect App | None on macOS, Linux, iOS, Android, Chrome OS | All on macOS, Linux, iOS, Android, Chrome OS |
| GlobalProtect App 6.3 | < 6.3.3 on Windows | >= 6.3.3 on Windows |
| GlobalProtect App 6.2 | < 6.2.5 on Windows | >= 6.2.5 on Windows |
| GlobalProtect App 6.1 | < 6.1.6 on Windows | >= 6.1.6 on Windows |
| GlobalProtect App 6.0 | < 6.0.11 on Windows | >= 6.0.11 on Windows |
| GlobalProtect UWP App | None | All |
Required Configuration for Exposure
You are vulnerable to this issue only if you configured GlobalProtect authentication to use SAML authentication.
You can verify whether you configured SAML authentication on your GlobalProtect portals by checking your firewall web interface (Network > GlobalProtect > Portals > (portal-config) > Authentication).
Severity: LOW, Suggested Urgency: MODERATE
An attacker deceives an authenticated Windows user and entices the user to navigate to a malicious web page during the GlobalProtect SAML login process.
CVSS-BT:
2.2 /
CVSS-B:
6.0 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:L/VA:H/SC:L/SI:L/SA:L/E:U/AU:N/R:U/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-618 Exposed Unsafe ActiveX Method
CAPEC-104 Cross Zone Scripting
Solution
The issue is addressed by hardening the browser embedded in GlobalProtect app to disallow ActiveX plugins. This security enhancement is implemented in patched versions of the GlobalProtect app, so upgrading resolves the issue.
| Version | Suggested Solution |
|---|---|
| GlobalProtect App 6.3 on Windows | Upgrade to 6.3.3 or later |
| GlobalProtect App 6.2 on Windows | Upgrade to 6.2.5 or later |
| GlobalProtect App 6.1 on Windows | Upgrade to 6.1.6 or later |
| GlobalProtect App 6.0 on Windows | Upgrade to 6.0.11 or later |
| GlobalProtect App on macOS | No action needed |
| GlobalProtect App on Linux | No action needed |
| GlobalProtect App on iOS | No action needed |
| GlobalProtect App on Android | No action needed |
| GlobalProtect UWP App | No action needed |
Workarounds and Mitigations
You can mitigate this issue by using a different form of authentication for the GlobalProtect portal such as Client Certificate Authentication, RADIUS, TACACS+, LDAP, or Kerberos. You can find information about configuring authentication for the GlobalProtect portal in this documentation.
Acknowledgments
CPEs
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.4:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.3:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.2:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.1:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.0:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.1.5:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.1.4:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.1.3:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.1.2:-:*:*:*:*:*:*
cpe:2.3:a:paloaltonetworks:globalprotect_app:6.1.1:-:*:*:*:*:*:*