CVE-2025-0135 GlobalProtect App on macOS: Non Admin User Can Disable the GlobalProtect App

Palo Alto Networks Security Advisories / CVE-2025-0135

CVE-2025-0135 GlobalProtect App on macOS: Non Admin User Can Disable the GlobalProtect App

Urgency MODERATE

Severity 1.8 · LOW

Exploit Maturity UNREPORTED

Response Effort MODERATE

Recovery USER

Value Density DIFFUSE

Attack Vector LOCAL

Attack Complexity LOW

Attack Requirements NONE

Automatable NO

User Interaction PASSIVE

Product Confidentiality NONE

Product Integrity LOW

Product Availability HIGH

Privileges Required LOW

Subsequent Confidentiality NONE

Subsequent Integrity NONE

Subsequent Availability NONE

CVE JSON CSAF

Published 2025-05-14

Updated 2025-05-14

Reference GPC-21582

Discovered externally

Description

An incorrect privilege assignment vulnerability in the Palo Alto Networks GlobalProtect™ App on macOS devices enables a locally authenticated non administrative user to disable the app.

The GlobalProtect app on Windows, Linux, iOS, Android, Chrome OS and GlobalProtect UWP app are not affected.

Product Status

Versions	Affected	Unaffected
GlobalProtect App	None on Android None on Chrome OS None on iOS None on Windows None on Linux	All on Android All on Chrome OS All on iOS All on Windows All on Linux
GlobalProtect App 6.3	< 6.3.3 on macOS	>= 6.3.3 on macOS
GlobalProtect App 6.2	< 6.2.8 on macOS	>= 6.2.8 on macOS
GlobalProtect App 6.1	All on macOS	None on macOS
GlobalProtect App 6.0	All on macOS	None on macOS
GlobalProtect UWP App	None	All

Required Configuration for Exposure

No special configuration is required to be vulnerable to this issue.

Severity: LOW, Suggested Urgency: MODERATE

CVSS-BT: 1.8 / CVSS-B: 5.2 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type and Impact

CWE-266: Incorrect Privilege Assignment

CAPEC-578 Disable Security Software

Solution

Version	Suggested Solution
GlobalProtect App 6.3 on macOS	Upgrade to 6.3.3 or later
GlobalProtect App 6.2 on macOS	Upgrade to 6.2.8 or later
GlobalProtect App 6.1 on macOS	Upgrade to 6.2.8 or later or 6.3.3 or later
GlobalProtect App 6.0 on macOS	Upgrade to 6.2.8 or later or 6.3.3 or later
GlobalProtect App on Linux	Not Applicable
GlobalProtect App on Windows	Not Applicable
GlobalProtect App on iOS	Not Applicable
GlobalProtect App on Android	Not Applicable
GlobalProtect UWP App	Not Applicable

Workarounds and Mitigations

No workaround or mitigation is available.

Acknowledgments

Palo Alto Networks thanks Alex Bourla (alex.bourla@form3.tech) and Graham Brereton (graham.brereton@form3.tech) for discovering and reporting the issue.

CPEs

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.2:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.1:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.3.0:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.4:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.3:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.2:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.1:-:*:*:*:*:*:*

cpe:2.3:a:paloaltonetworks:globalprotect_app:6.2.0:-:*:*:*:*:*:*