CVE-2025-0118

12.03.2025, 19:15

A vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a remote attacker to run ActiveX controls within the context of an authenticated Windows user. This enables the attacker to run commands as if they are a legitimate authenticated user. However, to exploit this vulnerability, the authenticated user must navigate to a malicious page during the GlobalProtect SAML login process on a Windows device.

This issue does not apply to the GlobalProtect app on other (non-Windows) platforms.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
palo_alto	CNA	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 33%

Vendor	Product	Version
paloaltonetworks	globalprotect	6.0.0 ≤ 𝑥 < 6.0.11
paloaltonetworks	globalprotect	6.1.0 ≤ 𝑥 < 6.1.6
paloaltonetworks	globalprotect	6.2.0 ≤ 𝑥 < 6.2.5
paloaltonetworks	globalprotect	6.3.0 ≤ 𝑥 < 6.3.3

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-618 - Exposed Unsafe ActiveX Method
An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser's security model (e.g. the zone or domain).

References

https://security.paloaltonetworks.com/CVE-2025-0118