GlobalProtect App: Improper Certificate Validation Leads to Privilege Escalation
Plan Patch7.4CVE-2025-2183Aug 13, 2025
Palo Alto Networks
IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries
Summary
An insufficient certificate validation flaw in Palo Alto Networks GlobalProtect app allows attackers to impersonate the legitimate GlobalProtect server. A local non-administrative user or an attacker on the same network subnet can exploit this to install malicious root certificates on the endpoint. Once a fake root certificate is installed, the attacker can sign and deploy malicious software that appears legitimate to the system. Windows versions 6.3.3-h2+, 6.2.8-h3+, and UWP 6.0.12+ have fixes available. Linux versions of GlobalProtect have no vendor patch available.
What this means
What could happen
An attacker on your network or with local access to an endpoint could trick the GlobalProtect app into trusting a malicious server, allowing them to install fake certificates and then use those to install malicious software on the affected machine without administrative privileges.
Who's at risk
Organizations using Palo Alto GlobalProtect for endpoint VPN access should prioritize this for any Windows endpoints running GlobalProtect versions below 6.3.3-h2 or 6.2.8-h3 (depending on branch) and UWP App versions below 6.0.12. Linux endpoints running all current versions of GlobalProtect have no available patch from the vendor.
How it could be exploited
An attacker either on the same network segment (same subnet) or with local system access creates a malicious server that mimics the legitimate GlobalProtect endpoint. When a user runs the vulnerable GlobalProtect app, the attacker's weak certificate validation allows the app to connect to the malicious server instead of the real one. The app then installs a fake root certificate provided by the attacker, which can subsequently be used to sign and deploy malicious applications to the system.
Prerequisites
- Local user account on the affected Windows or Linux system (non-administrative)
- Network access to the same subnet as the target endpoint (for on-subnet attacks)
- Ability to run a malicious server that responds to GlobalProtect connection attempts
No authentication required for local exploitationAffects remote worker or contractor endpoints with access to sensitive networksLinux versions have no vendor patch availableLow complexity attack requiring only local or subnet-level access
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (8)
4 with fix4 pending
ProductAffected VersionsFix Status
GlobalProtect AppBelow 6.3.3-h2 (6.3.3-c676) on Windows6.3.3-h2 (6.3.3-c676) on Windows*+
GlobalProtect AppBelow 6.3.3 on Linux6.3.3 on Linux+
GlobalProtect AppBelow 6.2.8-h3 (6.2.8-c263) on Windows6.2.8-h3 (6.2.8-c263) on Windows*+
GlobalProtect AppAll on LinuxNo fix yet
GlobalProtect AppAll on WindowsNo fix yet
GlobalProtect AppAll on LinuxNo fix yet
Global Protect UWP AppBelow 6.0.12 on Windows6.0.12 on Windows*+
Global Protect UWP AppAll on LinuxNo fix yet
Remediation & Mitigation
0/5
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
GlobalProtect App
HOTFIXUpdate GlobalProtect App on Windows to version 6.3.3-h2 (6.3.3-c676) or later for versions 6.3.x, or 6.2.8-h3 (6.2.8-c263) or later for versions 6.2.x
HOTFIXUpdate GlobalProtect App on Linux to version 6.3.3 or later where available
Global Protect UWP App
HOTFIXUpdate Global Protect UWP App on Windows to version 6.0.12 or later
Long-term hardening
0/2HARDENINGFor endpoints running Linux versions of GlobalProtect with no available fix, isolate these systems on a restricted network segment and monitor for suspicious certificate installations or software deployments
HARDENINGImplement network segmentation to restrict which endpoints can communicate with each other and monitor for unauthorized certificate installations on protected machines
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/75532891-4143-4a85-bc66-2d8fc5094747Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.