CVE-2025-4227
BaseFortify
Publication date: 2025-06-13
Last updated on: 2025-06-27
Assigner: Palo Alto Networks, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| paloaltonetworks | globalprotect | From 6.0.0 (inc) to 6.2.8 (exc) |
| paloaltonetworks | globalprotect | From 6.0.0 (inc) to 6.2.8 (exc) |
| paloaltonetworks | globalprotect | From 6.3.0 (inc) to 6.3.3 (exc) |
| paloaltonetworks | globalprotect | From 6.3.0 (inc) to 6.3.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-319 | The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an improper access control issue in the Endpoint Traffic Policy Enforcement feature of the Palo Alto Networks GlobalProtect app on Windows and macOS. It allows certain network packets to remain unencrypted instead of being secured within the VPN tunnel. An attacker with physical access to the network can inject rogue devices to intercept these unencrypted packets. Normally, the GlobalProtect app recovers from such interception within one minute. [1]
How can this vulnerability impact me? :
The impact of this vulnerability is limited to the potential interception of some unencrypted network packets by an attacker with physical network access. It does not affect the confidentiality, availability, or integrity of the product beyond this initial packet interception. The attack complexity is low, no privileges are required, but user interaction is needed. The app typically recovers from interception within one minute. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves verifying if the 'Endpoint Traffic Policy Enforcement' feature is enabled on Windows or macOS endpoints running affected versions of the GlobalProtect app. This can be checked via the GlobalProtect Portal configuration under Network > GlobalProtect > Portals > Agent > App Configurations. Since the vulnerability allows certain packets to remain unencrypted, network monitoring tools could be used to detect unencrypted packets that should be tunneled, but no specific commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Upgrading affected GlobalProtect app versions to the fixed versions (6.3.2-566 or later for 6.3 and 6.1/6.0, 6.2.8-h2 or later for 6.2). 2) Configuring 'Endpoint Traffic Policy Enforcement' to 'All Traffic' in the GlobalProtect App configurations. 3) Enabling 'Allow Gateway Access from GlobalProtect Only' on the GlobalProtect Portal (requires content version 8977 or newer). 4) Committing the configuration changes. For environments using Autonomous Digital Experience Management (ADEM), set 'Endpoint Traffic Policy Enforcement' to 'All TCP/UDP Traffic' to allow ICMP probes while mitigating TCP/UDP interception. [1]