GlobalProtect App: Certificate Validation Bypass Vulnerabilities

Plan PatchCVSS 7.6CVE-2026-0249May 13, 2026

Palo Alto NetworksTransportation

IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries

Summary

Multiple improper certificate validation vulnerabilities in the Palo Alto Networks GlobalProtect app enable an attacker to intercept encrypted communications. A local non-administrative operating system user or an attacker on the same subnet can redirect traffic to an unauthorized server and facilitate the installation of malicious software. The GlobalProtect app on Linux, Windows, iOS and GlobalProtect UWP app are not affected.

What this means

What could happen

An attacker could intercept VPN traffic and redirect it to a malicious server, potentially installing malware on employee laptops and mobile devices that connect to your network. This compromises the integrity of remote connections to critical systems.

Who's at risk

Organizations with remote workers or mobile devices using Palo Alto GlobalProtect on macOS, Android, or ChromeOS. This affects anyone connecting to your network from home, branch offices, or while traveling. Transportation sector operations relying on remote access are specifically mentioned as at-risk.

How it could be exploited

An attacker on the same network as a remote worker (or with local access to their device) intercepts the GlobalProtect app's certificate validation. They direct traffic to their own server impersonating the legitimate VPN endpoint. When the app fails to validate the certificate properly, the connection is established to the attacker's server instead, allowing them to capture credentials or install malware.

Prerequisites

Network access to the same subnet as the vulnerable GlobalProtect client device OR local access to the endpoint
Target device running vulnerable version of GlobalProtect on macOS, Android, or ChromeOS
The VPN connection attempt must be in progress

remotely exploitablelow complexityaffects VPN security infrastructureimpacts mobile and remote worker devices

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (7)

7 with fix

ProductAffected VersionsFix Status

GlobalProtect AppBelow 6.3.3-h9 (6.3.3-999) on macOS6.3.3-h9 (6.3.3-999) on macOS+

GlobalProtect AppBelow 6.2.8-h10 (6.2.8-948) on macOS6.2.8-h10 (6.2.8-948) on macOS+

GlobalProtect AppBelow 6.1.13 on Android6.1.13 on Android+

GlobalProtect AppBelow 6.1.13 on ChromeOS6.1.13 on ChromeOS+

GlobalProtect AppBelow 6.0.14 on Android6.0.14 on Android (ETA: 05/20)+

GlobalProtect AppBelow 6.0.14 on ChromeOS6.0.14 on ChromeOS (ETA: 05/20)+

GlobalProtect AppBelow 6.0.13 on macOS6.0.13 on macOS+

Remediation & Mitigation

0/5

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

GlobalProtect App

HOTFIXUpdate GlobalProtect app on macOS to version 6.3.3-h9 or later (or 6.2.8-h10 if running 6.2.x, or 6.0.13 if running 6.0.x)

HOTFIXUpdate GlobalProtect app on Android to version 6.1.13 or later (or 6.0.14 or later if running 6.0.x)

HOTFIXUpdate GlobalProtect app on ChromeOS to version 6.1.13 or later (or 6.0.14 or later if running 6.0.x)

Long-term hardening

0/2

HARDENINGSegment remote worker networks and critical systems behind additional authentication layers (e.g., MFA on internal systems) to limit impact if a VPN connection is compromised

HARDENINGImplement endpoint detection and response (EDR) tools on remote worker laptops to detect suspicious certificate validation failures or unexpected network redirects

CVEs (1)

CVE-2026-0249

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/16d32474-5883-4d11-b19d-0295f4de320b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.