A newly disclosed vulnerability in Palo Alto Networks’ GlobalProtect application could allow attackers to escalate privileges and install malicious software on affected systems through improper certificate validation.
The security flaw, tracked as CVE-2025-2183, was published on August 13, 2025, and affects multiple versions of the popular VPN client across Windows and Linux platforms.
Critical Security Flaw Details
The vulnerability stems from insufficient certificate validation within the GlobalProtect app, enabling attackers to redirect the application to connect to arbitrary servers under their control.
| CVE Details | Information |
| CVE ID | CVE-2025-2183 |
| CVSS Score | 4.5 (Medium) |
| Attack Vector | Adjacent Network |
This security weakness particularly affects local non-administrative users and attackers positioned on the same network subnet, who can exploit the flaw to install malicious root certificates on target endpoints.
Once these fraudulent certificates are installed, attackers can subsequently deploy malicious software signed by their own certificate authorities, effectively bypassing standard security controls.
The attack vector is classified as “adjacent,” meaning attackers need network proximity to the target system rather than remote internet access.
Palo Alto Network has assigned this vulnerability a CVSS score of 4.5, categorizing it as medium severity with moderate urgency.
Despite the technical complexity, the company reports no evidence of active exploitation in the wild, as the vulnerability was discovered through internal security research.
Affected Systems and Versions
The vulnerability impacts GlobalProtect App versions across multiple platforms, with Windows and Linux systems bearing the primary risk. Notably, Android, iOS, and macOS versions remain unaffected by this particular security issue.
Palo Alto Networks has released security updates addressing the vulnerability, with specific hotfixes available for affected versions.
Windows users should upgrade to GlobalProtect App 6.3.3-h2 or 6.2.8-h3, depending on their current version, while Linux users need version 6.3.3 or later.
Beyond software updates, organizations must implement additional configuration changes to fully protect against exploitation.
These include ensuring portal and gateway certificates validate through the operating system’s certificate store, removing certificates from the “Trusted Root CA” list, and enabling strict certificate checking.
The vulnerability underscores the critical importance of proper certificate validation in enterprise security applications, particularly for VPN solutions that serve as primary network access points for remote users.
AWS Security Services:10-Point Executive Checklist - Download for Free