Login Sign Up

CVE-2025-0118

8.0 HIGH

📋 TL;DR

A vulnerability in Palo Alto Networks GlobalProtect app on Windows allows remote attackers to execute ActiveX controls as an authenticated Windows user. This enables command execution with user privileges when the user visits a malicious page during SAML login. Only Windows devices running the GlobalProtect app are affected.

💻 Affected Systems

Products:
  • Palo Alto Networks GlobalProtect app
Versions: Specific versions not provided in CVE description; check vendor advisory for details
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows platforms during GlobalProtect SAML authentication process. Non-Windows platforms are not vulnerable.

📦 What is this software?

Globalprotect by Paloaltonetworks

View all CVEs affecting Globalprotect →

Globalprotect by Paloaltonetworks

View all CVEs affecting Globalprotect →

Globalprotect by Paloaltonetworks

View all CVEs affecting Globalprotect →

Globalprotect by Paloaltonetworks

View all CVEs affecting Globalprotect →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of the Windows system with authenticated user privileges, allowing lateral movement, data theft, and persistence establishment.

🟠

Likely Case

Limited privilege escalation within the user context, potentially leading to credential theft, data access, and initial foothold for further attacks.

🟢

If Mitigated

No impact if users avoid malicious pages during SAML login or if the vulnerability is patched.

🌐 Internet-Facing: MEDIUM - Requires user interaction with malicious content but can be delivered via phishing or compromised websites.
🏢 Internal Only: MEDIUM - Internal users could be targeted via internal phishing campaigns or compromised internal sites.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires user interaction (visiting malicious page during SAML login) and authenticated Windows user context.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific patched versions

Vendor Advisory: https://security.paloaltonetworks.com/CVE-2025-0118

Restart Required: No

Instructions:

1. Visit Palo Alto Networks security advisory. 2. Identify affected GlobalProtect versions. 3. Update to the latest patched version. 4. Verify update completion.

🔧 Temporary Workarounds

Disable ActiveX controls

Windows

Configure Windows to block ActiveX controls during browser sessions

Use Group Policy or registry settings to disable ActiveX controls

User awareness training

all

Train users to avoid clicking suspicious links during authentication processes

🧯 If You Can't Patch

  • Implement network segmentation to limit lateral movement
  • Use application allowlisting to prevent unauthorized ActiveX execution

🔍 How to Verify

Check if Vulnerable:

Check GlobalProtect app version against vendor advisory for affected versions

Check Version:

Check GlobalProtect app version in Windows Programs & Features or via command line

Verify Fix Applied:

Confirm GlobalProtect app is updated to patched version specified in vendor advisory

📡 Detection & Monitoring

Log Indicators:

  • Unusual ActiveX execution events in Windows logs
  • Suspicious authentication attempts in GlobalProtect logs

Network Indicators:

  • Unexpected outbound connections from GlobalProtect processes
  • Traffic to known malicious domains during authentication

SIEM Query:

Search for ActiveX execution events combined with GlobalProtect authentication logs

📊 Metadata

CVE ID: CVE-2025-0118
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-618
EPSS Score: 0.14% exploit probability (34.6th percentile)
Published: March 12, 2025
Last Updated: June 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON