CVE-2025-0141 GlobalProtect App: Privilege Escalation (PE) Vulnerability
Description
An incorrect privilege assignment vulnerability in the Palo Alto Networks GlobalProtect™ App on macOS devices enables a locally authenticated non administrative user to escalate their privileges to root on macOS and Linux or NT\AUTHORITY SYSTEM on Windows.
The GlobalProtect app on iOS, Android, Chrome OS and GlobalProtect UWP app are not affected.
Product Status
Versions | Affected | Unaffected |
---|---|---|
GlobalProtect App | None on Android None on Chrome OS None on iOS | All on Android All on Chrome OS All on iOS |
GlobalProtect App 6.3 | < 6.3.3-h1 (6.3.3-c650) on macOS < 6.3.3-h1 (6.3.3-c650) on Windows | >= 6.3.3-h1 (6.3.3-c650) on macOS >= 6.3.3-h1 (6.3.3-c650) on Windows |
GlobalProtect App 6.2 | < 6.2.8-h2 (6.2.8-c243) on macOS < 6.2.8-h2 (6.2.8-c243) on Windows < 6.2.8 on Linux | >= 6.2.8-h2 (6.2.8-c243) on macOS >= 6.2.8-h2 (6.2.8-c243) on Windows >= 6.2.8 on Linux (ETA: July 11 2025) |
GlobalProtect App 6.1 | All on macOS All on Windows All on Linux | None on macOS None on Windows None on Linux |
GlobalProtect App 6.0 | All on macOS All on Windows All on Linux | None on macOS None on Windows None on Linux |
GlobalProtect UWP App | None | All |
Required Configuration for Exposure
No special configuration is required to be vulnerable to this issue.
Severity: MEDIUM, Suggested Urgency: MODERATE
CVSS-BT: 5.7 / CVSS-B: 8.4 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:U/AU:N/R:U/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CAPEC-233 Privilege Escalation
Solution
Version | Minor Version | Suggested Solution |
---|---|---|
GlobalProtect App 6.3 on macOS |
6.3.0 through 6.3.3 | Upgrade to 6.3.3-h1 (6.3.3-c650) or later. |
GlobalProtect App 6.3 on Windows |
6.3.0 through 6.3.3 | Upgrade to 6.3.3-h1 (6.3.3-c650) or later. |
GlobalProtect App 6.2 on macOS |
6.2.0 through 6.2.8 | Upgrade to 6.2.8-h2 (6.2.8-c243) or later. |
GlobalProtect App 6.2 on Windows |
6.2.0 through 6.2.8 | Upgrade to 6.2.8-h2 (6.2.8-c243) or later. |
GlobalProtect App 6.1 on macOS | Upgrade to 6.2.8-h2 (6.2.8-c243) or 6.3.3-h1 (6.3.3-c650) or later. | |
GlobalProtect App 6.1 on Windows | Upgrade to 6.2.8-h2 (6.2.8-c243) or 6.3.3-h1 (6.3.3-c650) or later. | |
GlobalProtect App 6.0 on macOS | Upgrade to 6.2.8-h2 (6.2.8-c243) or 6.3.3-h1 (6.3.3-c650) or later. | |
GlobalProtect App 6.0 on Windows | Upgrade to 6.2.8-h2 (6.2.8-c243) or 6.3.3-h1 (6.3.3-c650) or later. | |
GlobalProtect App 6.2 on Linux |
6.2.0 through 6.2.7 | Upgrade to 6.2.8 or later. |
GlobalProtect App 6.1 on Linux | Upgrade to 6.2.8 or later. | |
GlobalProtect App 6.0 on Linux | Upgrade to 6.2.8 or later. | |
GlobalProtect App on Android, Chrome OS, iOS | No action needed. | |
GlobalProtect UWP App | No action needed. |
Workarounds and Mitigations
No workaround or mitigation is available.
Acknowledgments
CPEs
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:Windows:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:Windows:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:Windows:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:Windows:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:macOS:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:Windows:*:*
CPE Applicability
- cpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:macOS:*:* is vulnerable from (including)6.3.3 and up to (excluding)6.3.3-h1_(6.3.3-c650)
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Windows:*:* is vulnerable from (including)6.3.3 and up to (excluding)6.3.3-h1_(6.3.3-c650)
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:macOS:*:* is vulnerable from (including)6.2.8 and up to (excluding)6.2.8-h2_(6.2.8-c243)
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Windows:*:* is vulnerable from (including)6.2.8 and up to (excluding)6.2.8-h2_(6.2.8-c243)
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:macOS:*:* is vulnerable from (including)6.1.0
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Windows:*:* is vulnerable from (including)6.1.0
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:macOS:*:* is vulnerable from (including)6.0.0
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Windows:*:* is vulnerable from (including)6.0.0
- or
- cpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Linux:*:* is vulnerable from (including)6.2.0 and up to (excluding)6.2.8
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Linux:*:* is vulnerable from (including)6.1.0
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Linux:*:* is vulnerable from (including)6.0.0