Palo Alto Networks has revealed a serious security flaw in its GlobalProtect VPN application that allows locally authenticated users to escalate privileges to root on macOS and Linux, or to NT AUTHORITY\SYSTEM on Windows.
This vulnerability, caused by incorrect privilege assignment, presents a major risk for organizations using the widely adopted enterprise VPN solution. It affects several versions of the GlobalProtect app on Windows, macOS, and Linux, and allows users with local access to gain full administrative control. An attacker could use this to install unauthorized software, change system settings, access confidential information, or create persistent access points.
The issue has been assigned a CVSS score of 5.7 under the base temporal metric and 8.4 under the base scoring system, placing it in the medium severity category with a strong recommendation for prompt remediation.
Palo Alto Networks has identified this as a CWE-426 Untrusted Search Path vulnerability, which typically involves loading files from insecure directories that attackers can exploit. Devices running GlobalProtect on iOS, Android, Chrome OS, and the GlobalProtect UWP app are not affected. Importantly, no special configuration is needed for systems to be vulnerable, which means default installations are at risk.
Multiple GlobalProtect versions are impacted. Users on macOS and Windows running version 6.3 should update to at least 6.3.3-h1 (6.3.3-c650). Those using version 6.2 need to upgrade to 6.2.8-h2 (6.2.8-c243) or later, while Linux users should apply version 6.2.8 or newer, with a fix expected by July 11, 2025.
All systems running versions 6.1 and 6.0 across macOS, Windows, and Linux require immediate updates. Palo Alto Networks has provided detailed upgrade paths depending on platform and version.
There are no temporary fixes or workarounds available. The only effective solution is to install the latest patched version of the software.
At this time, Palo Alto Networks has not observed any active exploitation of the vulnerability. Still, organizations are strongly urged to patch their systems promptly due to the risk of privilege escalation.
The vulnerability was responsibly reported by security researchers Alex Bourla and Graham Brereton, who have been publicly acknowledged by the company.
To stay secure, all organizations using GlobalProtect should prioritize these updates without delay.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
