GlobalProtect App: Non Admin User Can Disable the GlobalProtect App
Monitor6.8CVE-2025-2179Jul 28, 2025
Palo Alto Networks
IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries
Summary
An incorrect privilege assignment vulnerability in Palo Alto Networks GlobalProtect App on Linux allows a non-administrative local user to disable the application, bypassing configuration restrictions that would normally prevent this action. The vulnerability does not affect GlobalProtect on Windows, macOS, iOS, Android, Chrome OS, or the UWP app variant.
What this means
What could happen
A non-administrative user on a Linux endpoint can disable the GlobalProtect VPN client, allowing the device to operate outside corporate network protections and security monitoring.
Who's at risk
Organizations with endpoint security programs that enforce VPN use on Linux workstations. This affects system administrators, engineers, and any users with Linux laptops or workstations who depend on GlobalProtect for secure remote access and network policy enforcement.
How it could be exploited
An attacker with local user access to a Linux workstation running GlobalProtect App can execute commands or use the GlobalProtect interface to disable the VPN client, bypassing any administrative restrictions that would normally prevent this action.
Prerequisites
- Local access to a Linux workstation
- Non-administrative user account
- GlobalProtect App installed on Linux
locally exploitablelow complexityaffects endpoint security posturerequires valid user credentials
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (3)
1 with fix2 pending
ProductAffected VersionsFix Status
GlobalProtect AppBelow 6.2.9 on Linux6.2.9 on Linux+
GlobalProtect AppAll on LinuxNo fix yet
GlobalProtect UWP AppAll on LinuxNo fix yet
Remediation & Mitigation
0/3
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
GlobalProtect App
HOTFIXUpdate GlobalProtect App to version 6.2.9 or later on Linux endpoints
HARDENINGMonitor and audit GlobalProtect application logs on Linux devices for unexpected disablement events
Long-term hardening
0/1GlobalProtect App
HARDENINGFor endpoints running older versions of GlobalProtect App on Linux where patching is not yet possible, restrict local access to only trusted administrators and implement system access controls
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b2d038e1-7ceb-4785-83d0-dba7bed802c5Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.