Home

Description

A vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a remote attacker to run ActiveX controls within the context of an authenticated Windows user. This enables the attacker to run commands as if they are a legitimate authenticated user. However, to exploit this vulnerability, the authenticated user must navigate to a malicious page during the GlobalProtect SAML login process on a Windows device. This issue does not apply to the GlobalProtect app on other (non-Windows) platforms.

PUBLISHED Reserved 2024-12-20 | Published 2025-03-12 | Updated 2025-03-12 | Assigner palo_alto




MEDIUM: 6.0CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:L/VA:H/SC:L/SI:L/SA:L/AU:N/R:U/V:D/RE:M/U:Amber

An attacker deceives an authenticated Windows user and entices the user to navigate to a malicious web page during the GlobalProtect SAML login process.

Problem types

CWE-618 Exposed Unsafe ActiveX Method

Product status

Default status
unaffected

6.3.0 (custom) before 6.3.3
unaffected

6.2.0 (custom) before 6.2.5
affected

6.1.0 (custom) before 6.1.6
affected

6.0.0 (custom) before 6.0.11
affected

Default status
unaffected

All (custom) before 6.3.3
unaffected

Default status
unaffected

All (custom)
unaffected

Credits

Maxime ESCOURBIAC, Michelin CERT finder

Yassine BENGANA, Abicom for Michelin CERT finder

References

security.paloaltonetworks.com/CVE-2025-0118 vendor-advisory

cve.org (CVE-2025-0118)

nvd.nist.gov (CVE-2025-0118)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.