Palo Alto Networks has disclosed a moderate-severity security vulnerability in its GlobalProtect VPN application that could allow attackers to escalate privileges and install malicious software on targeted endpoints.
The flaw, tracked as CVE-2025-2183 with a CVSS score of 4.5, affects the certificate validation process in GlobalProtect applications running on Windows and Linux systems.
The vulnerability stems from insufficient certificate validation in the GlobalProtect app, enabling attackers to connect the application to arbitrary servers.
This security weakness could be exploited by local non-administrative users or attackers positioned on the same network subnet to install malicious root certificates on endpoints and subsequently deploy malicious software signed by these fraudulent certificates.
Technical Details and Attack Vector
The certificate validation flaw specifically impacts GlobalProtect installations under two primary conditions.
First, when the portal pushes certificates to clients that are used to validate Portal or Gateway certificates, stored in the tca.cer file.
If the “Trusted Root CA” certificates include the entire certificate chain for Portal or Gateway certificates, the configuration becomes vulnerable.
Second, installations with the “FULLCHAINCERTVERIFY” option enabled are also susceptible to this attack.
The vulnerability requires an adjacent network position and low attack complexity, though it does need specific environmental conditions to be exploitable.
Attackers must have either local access to the target system or be positioned on the same network subnet as the victim.
Affected Systems and Versions
The security flaw affects multiple versions of GlobalProtect applications across different platforms.
On Windows systems, vulnerable versions include GlobalProtect App 6.3 (versions before 6.3.3-h2), GlobalProtect App 6.2 (versions before 6.2.8-h3), and all versions of GlobalProtect App 6.1 and 6.0.
Linux systems are affected across GlobalProtect App 6.3 (versions before 6.3.3), while all versions of 6.2, 6.1, and 6.0 remain vulnerable.
Notably, GlobalProtect applications on Android, iOS, and macOS platforms are not affected by this vulnerability, nor is the GlobalProtect UWP App.
Company Response and Remediation
Palo Alto Networks has released security updates to address the vulnerability, with patched versions now available for affected platforms.
The company emphasizes that no malicious exploitation of this issue has been observed in the wild.
The vulnerability was discovered internally by Nikola Markovic of Palo Alto Networks and Maxime Escorbiac of Michelin CERT.
Beyond applying software updates, organizations must implement additional configuration changes to fully protect against this vulnerability.
These include ensuring portal and gateway certificates can be validated using the operating system’s certificate store, removing certificates associated with portal/gateway validation from the “Trusted Root CA” list, and enabling the “Enable Strict Certificate Check” portal setting.
Organizations using affected GlobalProtect versions should prioritize updating to the latest patched releases and implementing the recommended configuration changes to prevent potential exploitation of this certificate validation weakness.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1)%20(1).webp?resize=1600,900&ssl=1&description=The flaw, tracked as CVE-2025-2183 with a CVSS score of 4.5, affects the certificate validation process in GlobalProtect applications running on Windows and Linux systems.){kind=link}