GlobalProtect App: Privilege Escalation (PE) Vulnerability

Plan Patch8.4CVE-2025-0141Jul 9, 2025

Palo Alto Networks

IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries

Summary

An incorrect privilege assignment vulnerability in Palo Alto Networks GlobalProtect App allows a locally authenticated non-administrative user to escalate their privileges to root on macOS and Linux, or NT AUTHORITY\SYSTEM on Windows. This vulnerability affects GlobalProtect App versions before 6.3.3-h1 (6.3.3-c650) on macOS and Windows, before 6.2.8-h2 (6.2.8-c243) on macOS and Windows, before 6.2.8 on Linux, and before 6.0.12 on macOS and Windows. GlobalProtect UWP App on all platforms and GlobalProtect App on Linux are not receiving fixes. The vulnerability does not affect iOS, Android, or Chrome OS versions.

What this means

What could happen

A local user without admin rights on a desktop or laptop could escalate their privileges to root (macOS/Linux) or system-level (Windows), potentially allowing them to install malware, steal credentials, or modify security software and monitoring tools.

Who's at risk

Any organization using GlobalProtect App on employee laptops and desktops (macOS, Windows, or Linux) for VPN access. This affects remote workers, field technicians, and any staff with bring-your-own-device (BYOD) policies. OT networks where remote engineers use these endpoints for plant access are at higher risk.

How it could be exploited

An attacker with a valid local user account on a device running vulnerable GlobalProtect App can trigger a privilege escalation flaw that allows them to gain root or system-level access without administrative credentials or additional exploits.

Prerequisites

Valid local user account on the device (non-administrative)
Vulnerable GlobalProtect App installed and running on macOS, Windows, or Linux
Physical or network access to the device to execute local commands

locally exploitablevalid user credentials requiredprivilege escalation to root/system levelaffects endpoint security postureno fix available for UWP variant

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (11)

7 with fix4 pending

ProductAffected VersionsFix Status

GlobalProtect AppBelow 6.3.3-h1 (6.3.3-c650) on macOS6.3.3-h1 (6.3.3-c650) on macOS+

GlobalProtect AppBelow 6.3.3-h1 (6.3.3-c650) on Windows6.3.3-h1 (6.3.3-c650) on Windows+

GlobalProtect AppBelow 6.2.8-h2 (6.2.8-c243) on macOS6.2.8-h2 (6.2.8-c243) on macOS+

GlobalProtect AppBelow 6.2.8-h2 (6.2.8-c243) on Windows6.2.8-h2 (6.2.8-c243) on Windows+

GlobalProtect AppBelow 6.2.8 on Linux6.2.8 on Linux+

GlobalProtect UWP AppAll on macOSNo fix yet

GlobalProtect UWP AppAll on WindowsNo fix yet

GlobalProtect UWP AppAll on LinuxNo fix yet

Remediation & Mitigation

0/4

Do now

0/1

GlobalProtect UWP App

WORKAROUNDUninstall or disable GlobalProtect UWP App on all platforms, as no fix is available

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

GlobalProtect App

HOTFIXUpdate GlobalProtect App to version 6.3.3-h1 (6.3.3-c650) or later on macOS and Windows, or 6.2.8-h2 (6.2.8-c243) on Windows and macOS, or 6.0.12 or later on macOS and Windows

Long-term hardening

0/2

GlobalProtect App

HARDENINGMonitor for suspicious privilege escalation attempts in system logs on devices running GlobalProtect App

All products

HARDENINGRestrict local access to endpoints by enforcing endpoint device management and requiring multi-factor authentication for VPN and remote access

CVEs (1)

CVE-2025-0141

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cb077b40-9403-49d7-946f-07d808a202f9

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.