CVE-2025-0118 | THREATINT

Description

A vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a remote attacker to run ActiveX controls within the context of an authenticated Windows user. This enables the attacker to run commands as if they are a legitimate authenticated user. However, to exploit this vulnerability, the authenticated user must navigate to a malicious page during the GlobalProtect SAML login process on a Windows device. This issue does not apply to the GlobalProtect app on other (non-Windows) platforms.

Reserved 2024-12-20 | Published 2025-03-12 | Updated 2025-03-12 | Assigner palo_alto

MEDIUM: 6.0CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:L/VA:H/SC:L/SI:L/SA:L/AU:N/R:U/V:D/RE:M/U:Amber

An attacker deceives an authenticated Windows user and entices the user to navigate to a malicious web page during the GlobalProtect SAML login process.

Problem types

CWE-618 Exposed Unsafe ActiveX Method

Product status

Default status

unaffected

6.3.0 before 6.3.3

unaffected

6.2.0 before 6.2.5

affected

6.1.0 before 6.1.6

affected

6.0.0 before 6.0.11

affected

Default status

unaffected

All before 6.3.3

unaffected

Default status

unaffected

All

unaffected

Credits

Maxime ESCOURBIAC, Michelin CERT finder

Yassine BENGANA, Abicom for Michelin CERT finder

References

security.paloaltonetworks.com/CVE-2025-0118 vendor-advisory

cve.org (CVE-2025-0118)

nvd.nist.gov (CVE-2025-0118)

Download JSON