CVE-2025-0120
📋 TL;DR
A privilege escalation vulnerability in Palo Alto Networks GlobalProtect app on Windows allows local non-admin users to gain SYSTEM privileges by exploiting a race condition. This affects Windows devices running vulnerable versions of GlobalProtect. Successful exploitation requires local access and precise timing.
💻 Affected Systems
- Palo Alto Networks GlobalProtect app
📦 What is this software?
Globalprotect by Paloaltonetworks
Globalprotect by Paloaltonetworks
Globalprotect by Paloaltonetworks
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full SYSTEM privileges, enabling complete system compromise, persistence installation, credential theft, and lateral movement.
Likely Case
Limited to environments where attackers already have local access and can execute carefully timed exploits, resulting in privilege escalation on individual endpoints.
If Mitigated
With proper endpoint controls and monitoring, exploitation attempts would be detected and blocked before SYSTEM access is achieved.
🎯 Exploit Status
Requires local authentication AND successful race condition exploitation, making reliable exploitation challenging
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific fixed versions
Vendor Advisory: https://security.paloaltonetworks.com/CVE-2025-0120
Restart Required: Yes
Instructions:
1. Review vendor advisory for affected versions. 2. Update GlobalProtect app to patched version. 3. Restart affected Windows systems.
🔧 Temporary Workarounds
Restrict local user privileges
windowsLimit non-administrative users' ability to execute arbitrary code or access sensitive directories
Enable exploit protection
windowsConfigure Windows Defender Exploit Guard or similar to detect and block privilege escalation attempts
🧯 If You Can't Patch
- Implement strict least privilege access controls for local users
- Monitor for suspicious process creation and privilege escalation events
🔍 How to Verify
Check if Vulnerable:
Check GlobalProtect version against vendor advisory; vulnerable if running affected version on WindowsCheck Version:
Check GlobalProtect app version in Windows Programs and Features or via GlobalProtect UIVerify Fix Applied:
Confirm GlobalProtect version is updated to patched version specified in vendor advisory📡 Detection & Monitoring
Log Indicators:
- Unexpected process creation with SYSTEM privileges
- GlobalProtect service manipulation events
- Race condition exploitation patterns
Network Indicators:
- Unusual outbound connections from SYSTEM context following local user activity
SIEM Query:
Process creation where parent process is non-admin user and child process runs as SYSTEM