CVE-2025-2179 GlobalProtect App: Non Admin User Can Disable the GlobalProtect App
Description
An incorrect privilege assignment vulnerability in the Palo Alto Networks GlobalProtect™ App on Linux devices enables a locally authenticated non administrative user to disable the app even if the GlobalProtect app configuration would not normally permit them to do so.
The GlobalProtect app on Windows, macOS, iOS, Android, Chrome OS and GlobalProtect UWP app are not affected.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| GlobalProtect App | None on Android None on Chrome OS None on iOS None on Windows None on macOS | All on Android All on Chrome OS All on iOS All on Windows All on macOS |
| GlobalProtect App 6.2 | < 6.2.9 on Linux | >= 6.2.9 on Linux |
| GlobalProtect App 6.1 | All on Linux | None on Linux |
| GlobalProtect App 6.0 | All on Linux | None on Linux |
| GlobalProtect UWP App | None | All |
Required Configuration for Exposure
You are vulnerable to this issue if you have GlobalProtect configured with both of the following configurations:
- Connect method set to 'Every time the user logs on to the machine (Always On)'
- 'Allow User to Disable GlobalProtect' set to either Disallow or 'Allow with Passcode'
You can verify if these configurations are enabled by either
- Navigating to GlobalProtect > App Settings - GlobalProtect on the Strata Cloud Manager OR
- Navigating to Network > GlobalProtect > Portals > Agent on Panorama or PAN-OS management web interface for directly-managed devices.
Severity: MEDIUM, Suggested Urgency: MODERATE
CVSS-BT: 4.3 / CVSS-B: 6.8 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-266: Incorrect Privilege Assignment
CAPEC-578 Disable Security Software
Solution
| Version | Minor Version | Suggested Solution |
|---|---|---|
| GlobalProtect App 6.2 on Linux |
6.2.0 through 6.2.8 | Upgrade to 6.2.9 or later. |
| GlobalProtect App 6.1 on Linux | Upgrade to 6.2.9 or later. | |
| GlobalProtect App 6.0 on Linux | Upgrade to 6.2.9 or later. | |
| GlobalProtect App on Android, ChromeOS, iOS, macOS, Windows | No action needed. |
Workarounds and Mitigations
No workaround or mitigation is available.
Acknowledgments
CPEs
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.8:*:*:*:*:Linux:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.7:*:*:*:*:Linux:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.6:*:*:*:*:Linux:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.4:*:*:*:*:Linux:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.3:*:*:*:*:Linux:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.2:*:*:*:*:Linux:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.1:*:*:*:*:Linux:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.0:*:*:*:*:Linux:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:Linux:*:*
cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:Linux:*:*
CPE Applicability
- cpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Linux:*:* is vulnerable from (including)6.2.0 and up to (excluding)6.2.9
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Linux:*:* is vulnerable from (including)6.1.0
- ORcpe:2.3:a:palo_alto_networks:globalprotect_app:*:*:*:*:*:Linux:*:* is vulnerable from (including)6.0.0