Palo Alto Networks Security Advisories / CVE-2025-2183

CVE-2025-2183 GlobalProtect App: Improper Certificate Validation Leads to Privilege Escalation

Urgency MODERATE

047910
Severity 4.5 · MEDIUM
Exploit Maturity UNREPORTED
Response Effort N/A
Recovery USER
Value Density DIFFUSE
Attack Vector ADJACENT
Attack Complexity LOW
Attack Requirements PRESENT
Automatable NO
User Interaction PASSIVE
Product Confidentiality HIGH
Product Integrity HIGH
Product Availability NONE
Privileges Required NONE
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability NONE
CVE JSON CSAF
Published 2025-08-13
Updated 2025-08-13
Reference GPC-22355
Discovered internally

Description

An insufficient certificate validation issue in the Palo Alto Networks GlobalProtect™ app enables attackers to connect the GlobalProtect app to arbitrary servers. This can enable a local non-administrative operating system user or an attacker on the same subnet to install malicious root certificates on the endpoint and subsequently install malicious software signed by the malicious root certificates on that endpoint.

Product Status

VersionsAffectedUnaffected
Global Protect UWP AppNone
All
GlobalProtect AppNone on Android
None on iOS
None on macOS
All on Android
All on iOS
All on macOS
GlobalProtect App 6.3< 6.3.3-h2 (6.3.3-c676) on Windows
< 6.3.3 on Linux
>= 6.3.3-h2 (6.3.3-c676) on Windows*
>= 6.3.3 on Linux (ETA: 9/1)*
GlobalProtect App 6.2< 6.2.8-h3 (6.2.8-c263) on Windows
All on Linux
>= 6.2.8-h3 (6.2.8-c263) on Windows*
None on Linux
GlobalProtect App 6.1All on Windows
All on Linux
None on Windows
None on Linux
GlobalProtect App 6.0All on Windows
All on Linux
None on Windows*
None on Linux

* In addition to the software updates listed above, additional steps are required to protect against this vulnerability. See the Solution section for full details.

Required Configuration for Exposure

GlobalProtect installations are impacted if either of the following conditions is true:
1. The portal pushes certificates to the client, which are then used to validate the Portal or Gateway's certificate. These certificates are stored in the tca.cer file. If the certificates listed in "Trusted Root CA" include the entire certificate chain for the Portal or Gateway certificate, the configuration will be vulnerable.

2. GlobalProtect app is deployed with the “FULLCHAINCERTVERIFY” option set to yes. To learn more about this configuration, see the Solution section of this advisory.

Severity: MEDIUM, Suggested Urgency: MODERATE

CVSS-BT: 4.5 / CVSS-B: 7.4 (CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type and Impact

CWE-295 Improper Certificate Validation

CAPEC-233 Privilege Escalation

Solution

Version
Minor Version
Suggested Solution
GlobalProtect App 6.3 on Windows
 6.3.0 through 6.3.2 Upgrade to 6.3.2-h9 or 6.3.3-h2 or later*.
GlobalProtect App 6.2 on Windows
 6.2.0 through 6.2.8 Upgrade to 6.2.8-h3 or later*.
GlobalProtect App 6.1 on WindowsUpgrade to 6.2.8-h3 or 6.3.3-h2 or later*.
GlobalProtect App 6.0 on Windows
Upgrade to 6.2.8-h3 or 6.3.3-h2 or later*.
GlobalProtect App 6.3 on Linux
 6.3.0 through 6.3.2 Upgrade to 6.3.3 or later*.
GlobalProtect App 6.2 on LinuxUpgrade to 6.3.3 or later*.
GlobalProtect App 6.1 on LinuxUpgrade to 6.3.3 or later*.
GlobalProtect App 6.0 on LinuxUpgrade to 6.3.3 or later*.
GlobalProtect App on Android, iOS, macOS
No action needed.
GlobalProtect UWP App No action needed.

* In addition to the software updates listed above, additional steps are required to protect against this vulnerability as described below:

Solution for new and existing GlobalProtect app installation on Windows / Linux
  1. Ensure the portal/gateway certificate can be validated using the operating system's certificate store (e.g., Local Machine Certificate Store or Current User Certificate Store in Windows; for Linux, refer to this documentation).
  2. Remove any certificates associated with portal/gateway validation from the "Trusted Root CA" list on the Portal. 
  3. Enable portal setting: “Enable Strict Certificate Check” (set FULLCHAINCERTVERIFY to yes).

Workarounds and Mitigations

No known workarounds exist for this issue.

Acknowledgments

Palo Alto Networks thanks Nikola Markovic of Palo Alto Networks and Maxime Escorbiac of Michelin CERT for discovering and reporting this issue.

CPEs

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.2:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.1:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.0:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.8-c243:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.8:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.7:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.6:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.4:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.3:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.2:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.1:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.0:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.9:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:Windows:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.2:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.1:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.0:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.8-c243:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.8:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.7:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.6:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.4:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.3:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.2:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.1:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.0:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.9:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:Linux:*:*

cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:Linux:*:*

CPE Applicability

Timeline

Initial Publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure PolicyReport vulnerabilitiesManage subscriptions
© 2025 Palo Alto Networks, Inc. All rights reserved.