CVE-2025-0118
published 2025-03-12CVE-2025-0118: A vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a remote attacker to run ActiveX controls within the context of an authenticated…
PriorityP343high8CVSS 3.1
AVNACLPRLUIRSUCHIHAH
EPSS
0.41%
33.0th percentile
A vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a remote attacker to run ActiveX controls within the context of an authenticated Windows user. This enables the attacker to run commands as if they are a legitimate authenticated user. However, to exploit this vulnerability, the authenticated user must navigate to a malicious page during the GlobalProtect SAML login process on a Windows device.
This issue does not apply to the GlobalProtect app on other (non-Windows) platforms.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| palo_alto_networks | globalprotect_app | >= 6.0.0 < 6.0.11 | 6.0.11 |
| palo_alto_networks | globalprotect_app | >= 6.1.0 < 6.1.6 | 6.1.6 |
| palo_alto_networks | globalprotect_app | >= 6.2.0 < 6.2.5 | 6.2.5 |
| paloalto | globalprotect_app | — | — |
| paloalto | globalprotect_uwp_app | — | — |
| paloaltonetworks | globalprotect | >= 6.0.0 < 6.0.11 | 6.0.11 |
| paloaltonetworks | globalprotect | >= 6.1.0 < 6.1.6 | 6.1.6 |
| paloaltonetworks | globalprotect | >= 6.2.0 < 6.2.5 | 6.2.5 |
| paloaltonetworks | globalprotect | >= 6.3.0 < 6.3.3 | 6.3.3 |
CVSS provenance
nvdv3.18.0HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
nvdv4.06.0MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:L/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4gx3-p432-m8m7: A vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a remote attacker to run ActiveX controls within the context of an authe
ghsa_unreviewed·2025-03-12
CVE-2025-0118 [MEDIUM] CWE-618 GHSA-4gx3-p432-m8m7: A vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a remote attacker to run ActiveX controls within the context of an authe
A vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a remote attacker to run ActiveX controls within the context of an authenticated Windows user. This enables the attacker to run commands as if they are a legitimate authenticated user. However, to exploit this vulnerability, the authenticated user must navigate to a malicious page during the GlobalProtect SAML login process on a Windows device.
This issue does not apply to the GlobalProtect app on other (non-Windows) platforms.
Palo Alto
GlobalProtect App: Execution of Unsafe ActiveX Control Vulnerability
vendor_paloalto·CVSS 6.0
CVE-2025-0118 [MEDIUM] CWE-618 GlobalProtect App: Execution of Unsafe ActiveX Control Vulnerability
GlobalProtect App: Execution of Unsafe ActiveX Control Vulnerability
A vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a remote attacker to run ActiveX controls within the context of an authenticated Windows user. This enables the attacker to run commands as if they are a legitimate authenticated user. However, to exploit this vulnerability, the authenticated user must navigate to a malicious page during the GlobalProtect SAML login process on a Windows device.
This issue does not apply to the GlobalProtect app on other (non-Windows) platforms.
Affected products: GlobalProtect App, GlobalProtect UWP App
Solution: The issue is addressed by hardening the browser embedded in GlobalProtect app to disallow ActiveX plugins. This security enhancement is implemented
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-12
Published