Palo Alto Networks GlobalProtect Vulnerability Allows Root User Privilege Escalation

Palo Alto Networks has disclosed a critical security vulnerability in its GlobalProtect VPN application that enables locally authenticated users to escalate their privileges to root access on macOS and Linux systems, or NT AUTHORITYSYSTEM on Windows machines.

The vulnerability, classified as an incorrect privilege assignment flaw, poses significant security risks for organizations relying on the popular enterprise VPN solution.

The security flaw affects multiple versions of the GlobalProtect app across Windows, macOS, and Linux platforms, allowing non-administrative users who already have local access to a system to gain complete administrative control.

This type of privilege escalation attack could enable malicious actors to install software, modify system configurations, access sensitive data, or establish persistent backdoors on compromised systems.

Palo Alto Networks GlobalProtect Vulnerability

The vulnerability has been assigned a CVSS score of 5.7 under the base temporal scoring system and 8.4 under the base scoring system, indicating a medium severity level with moderate urgency for remediation.

Palo Alto Networks categorizes this as a CWE-426 Untrusted Search Path weakness, which typically involves applications loading resources from insecure locations that can be manipulated by attackers.

Notably, the GlobalProtect applications on iOS, Android, Chrome OS, and the GlobalProtect UWP app remain unaffected by this vulnerability. The company emphasizes that no special configuration is required for systems to be vulnerable, meaning all default installations of affected versions are at risk.

The vulnerability impacts several major versions of GlobalProtect. For version 6.3 users on macOS and Windows, systems running versions prior to 6.3.3-h1 (6.3.3-c650) are vulnerable and should upgrade immediately. Version 6.2 users on macOS and Windows need to update to 6.2.8-h2 (6.2.8-c243) or later, while Linux users should upgrade to version 6.2.8 or later, with the fix expected to be available by July 11, 2025.

All installations of GlobalProtect versions 6.1 and 6.0 across macOS, Windows, and Linux platforms are affected and require immediate upgrades to the latest patched versions. The company provides specific upgrade paths for each platform and version combination.

Palo Alto Networks explicitly states that no workarounds or mitigations are available for this vulnerability, making immediate software updates the only viable solution.

The company reports no known malicious exploitation of this issue in the wild, but organizations should prioritize patching efforts given the potential for privilege escalation attacks.

The vulnerability was discovered and reported by security researchers Alex Bourla and Graham Brereton, whom Palo Alto Networks has acknowledged for their responsible disclosure.

Organizations using GlobalProtect should implement the recommended updates as soon as possible to maintain their security posture.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now