The flaw, tracked as CVE-2025-2183 with a CVSS score of 4.5, affects the certificate validation process in GlobalProtect applications running on Windows and Linux systems.
The vulnerability stems from insufficient certificate validation in the GlobalProtect app, enabling attackers to connect the application to arbitrary servers.
This security weakness could be exploited by local non-administrative users or attackers positioned on the same network subnet to install malicious root certificates on endpoints and subsequently deploy malicious software signed by these fraudulent certificates.
The certificate validation flaw specifically impacts GlobalProtect installations under two primary conditions.
First, when the portal pushes certificates to clients that are used to validate Portal or Gateway certificates, stored in the tca.cer file.
If the “Trusted Root CA” certificates include the entire certificate chain for Portal or Gateway certificates, the configuration becomes vulnerable.
Second, installations with the “FULLCHAINCERTVERIFY” option enabled are also susceptible to this attack.
The vulnerability requires an adjacent network position and low attack complexity, though it does need specific environmental conditions to be exploitable.
Attackers must have either local access to the target system or be positioned on the same network subnet as the victim.
The security flaw affects multiple versions of GlobalProtect applications across different platforms.
On Windows systems, vulnerable versions include GlobalProtect App 6.3 (versions before 6.3.3-h2), GlobalProtect App 6.2 (versions before 6.2.8-h3), and all versions of GlobalProtect App 6.1 and 6.0.
Linux systems are affected across GlobalProtect App 6.3 (versions before 6.3.3), while all versions of 6.2, 6.1, and 6.0 remain vulnerable.
Notably, GlobalProtect applications on Android, iOS, and macOS platforms are not affected by this vulnerability, nor is the GlobalProtect UWP App.
Palo Alto Networks has released security updates to address the vulnerability, with patched versions now available for affected platforms.
The company emphasizes that no malicious exploitation of this issue has been observed in the wild.
The vulnerability was discovered internally by Nikola Markovic of Palo Alto Networks and Maxime Escorbiac of Michelin CERT.
Beyond applying software updates, organizations must implement additional configuration changes to fully protect against this vulnerability.
These include ensuring portal and gateway certificates can be validated using the operating system’s certificate store, removing certificates associated with portal/gateway validation from the “Trusted Root CA” list, and enabling the “Enable Strict Certificate Check” portal setting.
Organizations using affected GlobalProtect versions should prioritize updating to the latest patched releases and implementing the recommended configuration changes to prevent potential exploitation of this certificate validation weakness.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post Palo Alto Networks GlobalProtect Flaw Allows Privilege Escalation appeared first on Cyber Security News.
Warning: This review contains full spoilers for The Pitt Season 2, Episode 8!One of the…
A newly uncovered phishing campaign is delivering Agent Tesla, one of the most widely used…
The Trump Administration’s purchase of two vacant warehouses in two rural Pennsylvania townships illustrates where…
Netflix has announced that it has declined to raise its offer for Warner Bros. Discovery,…
The Federal Emergency Management Agency building in Washington, D.C., on Nov. 25, 2024. (Photo by…
Less than 24 hours before the deadline in an ultimatum issued by the Pentagon, Anthropic…
This website uses cookies.