CVE-2025-2183
BaseFortify
Publication date: 2025-08-13
Last updated on: 2025-08-13
Assigner: Palo Alto Networks, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| palo_alto_networks | globalprotect_app | 6.2.0 |
| palo_alto_networks | globalprotect_app | 6.2.7 |
| palo_alto_networks | globalprotect_app | 6.1 |
| palo_alto_networks | globalprotect_app | 6.2.6 |
| palo_alto_networks | globalprotect_app | 6.3.2 |
| palo_alto_networks | globalprotect_app | 6.0 |
| palo_alto_networks | globalprotect_app | 6.2.3 |
| palo_alto_networks | globalprotect_app | * |
| palo_alto_networks | globalprotect_app | 6.2.1 |
| palo_alto_networks | globalprotect_app | 6.2.2 |
| palo_alto_networks | globalprotect_app | 6.2.4 |
| palo_alto_networks | globalprotect_app | 6.3.1 |
| palo_alto_networks | globalprotect_app | 6.2.8 |
| palo_alto_networks | globalprotect_app | 6.3.0 |
| palo_alto_networks | globalprotect_app | 6.2.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Palo Alto Networks GlobalProtect app is due to insufficient certificate validation. It allows a local non-administrative user or an attacker on the same subnet to connect the app to arbitrary servers. This can lead to the installation of malicious root certificates on the endpoint, which can then be used to install malicious software signed by those certificates, potentially escalating privileges on the affected system. [1]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers with local or adjacent network access to install malicious root certificates on your device. This enables them to install malicious software that appears trusted, potentially leading to privilege escalation and compromise of the confidentiality and integrity of your system. However, it does not affect system availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves verifying the GlobalProtect app version and checking if the portal or gateway certificates are improperly included in the Trusted Root CA list or if the FULLCHAINCERTVERIFY option is set to yes. You can check the GlobalProtect app version on Windows or Linux to see if it is within the vulnerable versions (e.g., 6.3.0 through 6.3.2 on Windows/Linux, 6.2.0 through 6.2.8 on Windows, and all 6.1 and 6.0 versions). Additionally, inspect the certificate store for the presence of portal/gateway certificates in the Trusted Root CA list. Commands to check the app version and certificates might include: On Windows, use "Get-ItemProperty" in PowerShell to check installed software versions, and "certmgr.msc" or "certutil -store Root" to view root certificates. On Linux, use commands like "globalprotect version" to check the app version and "openssl x509 -in /path/to/certificate -text -noout" to inspect certificates. Also, verify the portal configuration for the FULLCHAINCERTVERIFY setting. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the GlobalProtect app to the patched versions: for Windows, upgrade to 6.3.2-h9 or 6.3.3-h2 (or later) for 6.3.x, 6.2.8-h3 or later for 6.2.x, and at least 6.2.8-h3 or 6.3.3-h2 for 6.1 and 6.0 versions; for Linux, upgrade to 6.3.3 or later. Additionally, ensure that portal and gateway certificates are validated using the operating system's certificate store, remove portal/gateway certificates from the Trusted Root CA list on the portal, and enable the portal setting "Enable Strict Certificate Check" (FULLCHAINCERTVERIFY=yes). No workarounds are known, so upgrading and configuration changes are critical. [1]