CVE-2025-0140 GlobalProtect App: Non Admin User Can Disable the GlobalProtect App
Description
An incorrect privilege assignment vulnerability in the Palo Alto Networks GlobalProtect™ App on macOS and Linux devices enables a locally authenticated non administrative user to disable the app even if the GlobalProtect app configuration would not normally permit them to do so.
The GlobalProtect app on Windows, iOS, Android, Chrome OS and GlobalProtect UWP app are not affected.
Product Status
Versions | Affected | Unaffected |
---|---|---|
GlobalProtect App | None on Android None on Chrome OS None on iOS None on Windows | All on Android All on Chrome OS All on iOS All on Windows |
GlobalProtect App 6.3 | < 6.3.3-h1 (6.3.3-c650) on macOS | >= 6.3.3-h1 (6.3.3-c650) on macOS |
GlobalProtect App 6.2 | < 6.2.8-h2 (6.2.8-c243) on macOS < 6.2.8 on Linux | >= 6.2.8-h2 (6.2.8-c243) on macOS >= 6.2.8 on Linux (ETA: July 11 2025) |
GlobalProtect App 6.1 | All on macOS All on Linux | None on macOS None on Linux |
GlobalProtect App 6.0 | All on macOS All on Linux | None on macOS None on Linux |
GlobalProtect UWP App | None | All |
Required Configuration for Exposure
No special configuration is required to be vulnerable to this issue.
Severity: MEDIUM, Suggested Urgency: MODERATE
CVSS-BT: 4.3 / CVSS-B: 6.8 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-266: Incorrect Privilege Assignment
CAPEC-578 Disable Security Software
Solution
Version | Minor Version | Suggested Solution |
---|---|---|
GlobalProtect App 6.3 on macOS |
6.3.0 through 6.3.3 | Upgrade to 6.3.3-h1 (6.3.3-c650) or later. |
GlobalProtect App 6.2 on macOS |
6.2.0 through 6.2.8 | Upgrade to 6.2.8-h2 (6.2.8-c243) or later. |
GlobalProtect App 6.1 on macOS | Upgrade to 6.2.8-h2 (6.2.8-c243) or 6.3.3-h1 (6.3.3-c650) or later. | |
GlobalProtect App 6.0 on macOS | Upgrade to 6.2.8-h2 (6.2.8-c243) or 6.3.3-h1 (6.3.3-c650) or later. | |
GlobalProtect App 6.2 on Linux |
6.2.0 through 6.2.8 | Upgrade to 6.2.8 or later. |
GlobalProtect App 6.1 on Linux | Upgrade to 6.2.8 or later. | |
GlobalProtect App 6.0 on Linux | Upgrade to 6.2.8 or later. | |
GlobalProtect App on Android, iOS, Windows | No action needed. | |
GlobalProtect UWP App All | No action needed. |
Workarounds and Mitigations
No workaround or mitigation is available.
Acknowledgments
CPEs
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:macOS:*:*
CPE Applicability
- cpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:macOS:*:* is vulnerable from (including)6.3.3 and up to (excluding)6.3.3-h1_(6.3.3-c650)
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:macOS:*:* is vulnerable from (including)6.2.8 and up to (excluding)6.2.8-h2_(6.2.8-c243)
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:macOS:*:* is vulnerable from (including)6.1.0
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:macOS:*:* is vulnerable from (including)6.0.0
- or
- cpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Linux:*:* is vulnerable from (including)6.2.0 and up to (excluding)6.2.8
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Linux:*:* is vulnerable from (including)6.1.0
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Linux:*:* is vulnerable from (including)6.0.0