Palo Alto Networks Security Advisories / CVE-2025-0140

CVE-2025-0140 GlobalProtect App: Non Admin User Can Disable the GlobalProtect App

Urgency MODERATE

047910
Severity 4.3 · MEDIUM
Exploit Maturity UNREPORTED
Response Effort MODERATE
Recovery USER
Value Density DIFFUSE
Attack Vector LOCAL
Attack Complexity LOW
Attack Requirements NONE
Automatable NO
User Interaction NONE
Product Confidentiality NONE
Product Integrity NONE
Product Availability HIGH
Privileges Required LOW
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability NONE

Description

An incorrect privilege assignment vulnerability in the Palo Alto Networks GlobalProtect™ App on macOS and Linux devices enables a locally authenticated non administrative user to disable the app even if the GlobalProtect app configuration would not normally permit them to do so.

The GlobalProtect app on Windows, iOS, Android, Chrome OS and GlobalProtect UWP app are not affected.

Product Status

VersionsAffectedUnaffected
GlobalProtect AppNone on Android
None on Chrome OS
None on iOS
None on Windows
All on Android
All on Chrome OS
All on iOS
All on Windows
GlobalProtect App 6.3< 6.3.3-h1 (6.3.3-c650) on macOS
>= 6.3.3-h1 (6.3.3-c650) on macOS
GlobalProtect App 6.2< 6.2.8-h2 (6.2.8-c243) on macOS
< 6.2.8 on Linux
>= 6.2.8-h2 (6.2.8-c243) on macOS
>= 6.2.8 on Linux (ETA: July 11
2025)
GlobalProtect App 6.1All on macOS
All on Linux
None on macOS
None on Linux
GlobalProtect App 6.0All on macOS
All on Linux
None on macOS
None on Linux
GlobalProtect UWP AppNone
All

Required Configuration for Exposure

No special configuration is required to be vulnerable to this issue.

Severity: MEDIUM, Suggested Urgency: MODERATE

CVSS-BT: 4.3 / CVSS-B: 6.8 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type and Impact

CWE-266: Incorrect Privilege Assignment

CAPEC-578 Disable Security Software

Solution

Version
Minor Version
Suggested Solution
GlobalProtect App 6.3 on macOS
6.3.0 through 6.3.3 Upgrade to 6.3.3-h1 (6.3.3-c650) or later.
GlobalProtect App 6.2 on macOS
6.2.0 through 6.2.8 Upgrade to 6.2.8-h2 (6.2.8-c243) or later.
GlobalProtect App 6.1 on macOSUpgrade to 6.2.8-h2 (6.2.8-c243) or 6.3.3-h1 (6.3.3-c650) or later.
GlobalProtect App 6.0 on macOSUpgrade to 6.2.8-h2 (6.2.8-c243) or 6.3.3-h1 (6.3.3-c650) or later.
GlobalProtect App 6.2 on Linux
6.2.0 through 6.2.8 Upgrade to 6.2.8 or later.
GlobalProtect App 6.1 on LinuxUpgrade to 6.2.8 or later.
GlobalProtect App 6.0 on LinuxUpgrade to 6.2.8 or later.
GlobalProtect App on Android, iOS, Windows  No action needed.
GlobalProtect UWP App All
No action needed.

Workarounds and Mitigations

No workaround or mitigation is available.

Acknowledgments

Palo Alto Networks thanks Alex Bourla and Graham Brereton (graham.brereton@form3.tech) for discovering and reporting this issue.

CPEs

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:macOS:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:Linux:*:*

CPE Applicability

Timeline

Initial Publication
© 2025 Palo Alto Networks, Inc. All rights reserved.