GlobalProtect App: Local Privilege Escalation Vulnerabilities
Plan PatchCVSS 8.5CVE-2026-0251May 13, 2026
Palo Alto Networks
IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries
Summary
Multiple local privilege escalation vulnerabilities in Palo Alto Networks GlobalProtect app allow a local user to escalate privileges to NT AUTHORITY\SYSTEM on Windows and root on macOS and Linux, enabling execution of arbitrary commands with administrative rights. The vulnerabilities affect GlobalProtect on Windows, macOS, and Linux; iOS, Android, Chrome OS, and UWP versions are not affected.
What this means
What could happen
A user with a local account on a Windows, macOS, or Linux workstation running GlobalProtect can escalate their privileges to administrator level and run arbitrary commands, potentially compromising the security of that endpoint and any sensitive data or systems it can access.
Who's at risk
Organizations that use Palo Alto Networks GlobalProtect to provide remote or secure network access for employees on Windows, macOS, or Linux workstations should prioritize patching. This affects any workforce using VPN or endpoint security through GlobalProtect, including corporate offices, field workers, and contractors with local machine access.
How it could be exploited
An attacker with local access to a workstation running a vulnerable version of GlobalProtect exploits a privilege escalation flaw in the application to run commands as SYSTEM (Windows) or root (macOS/Linux). No network access or additional credentials are required—only the ability to execute code on the machine as a regular user.
Prerequisites
- Local user account on the workstation
- Vulnerable version of GlobalProtect installed and running
- Ability to execute code or commands on the local machine
Low complexity to exploitNo authentication required beyond local user accessAffects Windows, macOS, and Linux endpointsNo fix available for mobile and UWP versions
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (12)
8 with fix4 pending
ProductAffected VersionsFix Status
GlobalProtect AppBelow 6.3.3-h9 (6.3.3-999) on Windows6.3.3-h9 (6.3.3-999) on Windows+
GlobalProtect AppBelow 6.3.3-h9 (6.3.3-999) on macOS6.3.3-h9 (6.3.3-999) on macOS+
GlobalProtect AppBelow 6.3.3-h2 (6.3.3-42) on Linux6.3.3-h2 (6.3.3-42) on Linux+
GlobalProtect AppBelow 6.2.8-h10 (6.2.8-948) on Windows6.2.8-h10 (6.2.8-948) on Windows+
GlobalProtect AppBelow 6.2.8-h10 (6.2.8-948) on macOS6.2.8-h10 (6.2.8-948) on macOS+
GlobalProtect AppBelow 6.0.13 on Windows6.0.13 on Windows+
GlobalProtect AppBelow 6.0.13 on macOS6.0.13 on macOS+
GlobalProtect AppBelow 6.0.11 on Linux6.0.11 on Linux (ETA: 06/04)+
Remediation & Mitigation
0/6
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
GlobalProtect App
HOTFIXUpdate GlobalProtect App to 6.3.3-h9 or later on Windows
HOTFIXUpdate GlobalProtect App to 6.3.3-h9 or later on macOS
HOTFIXUpdate GlobalProtect App to 6.3.3-h2 on Linux
HOTFIXUpdate GlobalProtect App to 6.2.8-h10 or later on Windows and macOS if version 6.3.3 is not yet available
HOTFIXUpdate GlobalProtect App to 6.0.13 on Windows and macOS if on legacy versions
Long-term hardening
0/1HARDENINGMonitor endpoint logs for unexpected privilege escalation activity or unusual GlobalProtect process behavior
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/2115653f-92a7-4477-bbdc-56b4a1e6618fGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.