GlobalProtect App: Non Admin User Can Disable the GlobalProtect App

MonitorCVSS 6.8CVE-2025-0140Jul 9, 2025

Palo Alto Networks

IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries

Summary

An incorrect privilege assignment vulnerability in Palo Alto Networks GlobalProtect App on macOS allows a non-administrative user to disable the VPN app, bypassing security policies that should restrict this capability. GlobalProtect on Windows, Linux, iOS, Android, and Chrome OS are not affected. The GlobalProtect UWP App on macOS has no fix available.

What this means

What could happen

A non-administrative user on a macOS device can disable the GlobalProtect VPN client, potentially allowing unencrypted traffic and exposing the device to external threats. This breaks the security perimeter for remote workers and disconnects them from protected network access.

Who's at risk

Organizations using Palo Alto Networks GlobalProtect App on employee macOS devices for remote VPN access. This includes remote workers, mobile users, and any staff using Macs who rely on GlobalProtect for secure access to company networks and resources.

How it could be exploited

An attacker with local access to a macOS device (or a disgruntled employee) can interact with the GlobalProtect app interface to disable VPN protection, even if the device policy prohibits non-admin users from making such changes. The attacker does not need administrative credentials.

Prerequisites

Local access to macOS device running vulnerable GlobalProtect App
User account on the device (non-administrative)
GlobalProtect app installed and configured

Locally exploitableLow attack complexityAffects remote access security controls

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (3)

2 with fix1 pending

ProductAffected VersionsFix Status

GlobalProtect AppBelow 6.3.3-h1 (6.3.3-c650) on macOS6.3.3-h1 (6.3.3-c650) on macOS+

GlobalProtect AppBelow 6.2.8-h2 (6.2.8-c243) on macOS6.2.8-h2 (6.2.8-c243) on macOS+

GlobalProtect UWP AppAll on macOSNo fix yet

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

GlobalProtect App

HOTFIXUpdate GlobalProtect App to version 6.3.3-h1 (6.3.3-c650) or later on macOS devices

HOTFIXUpdate GlobalProtect App to version 6.2.8-h2 (6.2.8-c243) or later on macOS devices

All products

HARDENINGEnforce mobile device management (MDM) policies to restrict local user permissions and prevent unauthorized app modifications on macOS endpoints

Long-term hardening

0/1

GlobalProtect App

WORKAROUNDReplace GlobalProtect UWP App with a supported alternative or revert to standard GlobalProtect App; no fix is available for the UWP version

CVEs (1)

CVE-2025-0140

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/35f97619-ac8b-4260-a7ba-d0d1756e630e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.