Action not permitted
Modal body text goes here.
ghsa-h9qj-xx2j-6h84
Vulnerability from github
Published
2025-06-13 06:30
Modified
2025-06-27 18:30
Severity ?
Details
An improper access control vulnerability in the Endpoint Traffic Policy Enforcement https://docs.paloaltonetworks.com/globalprotect/6-0/globalprotect-app-new-features/new-features-released-in-gp-app/endpoint-traffic-policy-enforcement feature of the Palo Alto Networks GlobalProtect™ app allows certain packets to remain unencrypted instead of being properly secured within the tunnel.
An attacker with physical access to the network can inject rogue devices to intercept these packets. Under normal operating conditions, the GlobalProtect app automatically recovers from this interception within one minute.
{
"affected": [],
"aliases": [
"CVE-2025-4227"
],
"database_specific": {
"cwe_ids": [
"CWE-319"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-13T06:15:22Z",
"severity": "LOW"
},
"details": "An improper access control vulnerability in the Endpoint Traffic Policy Enforcement https://docs.paloaltonetworks.com/globalprotect/6-0/globalprotect-app-new-features/new-features-released-in-gp-app/endpoint-traffic-policy-enforcement feature of the Palo Alto Networks GlobalProtect\u2122 app allows certain packets to remain unencrypted instead of being properly secured within the tunnel.\n\nAn attacker with physical access to the network can inject rogue devices to intercept these packets. Under normal operating conditions, the GlobalProtect app automatically recovers from this interception within one minute.",
"id": "GHSA-h9qj-xx2j-6h84",
"modified": "2025-06-27T18:30:38Z",
"published": "2025-06-13T06:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4227"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/CVE-2025-4227"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:L/U:Green",
"type": "CVSS_V4"
}
]
}
cve-2025-4227
Vulnerability from cvelistv5
Published
2025-06-13 05:50
Modified
2025-06-23 16:06
Severity ?
EPSS score ?
Summary
GlobalProtect App: Interception in Endpoint Traffic Policy Enforcement
References
| ▼ | URL | Tags |
|---|---|---|
| https://security.paloaltonetworks.com/CVE-2025-4227 | vendor-advisory |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4227",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T18:50:08.392375Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-23T16:06:55.397Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.2:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.2:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.1:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.1:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.0:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.0:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.7:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.7:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.6:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.6:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.4:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.4:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.3:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.3:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.2:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.2:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.1:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.1:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.0:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.0:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:macOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:Windows:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:macOS:*:*"
],
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"macOS"
],
"product": "GlobalProtect App",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "6.3.3-h1",
"status": "unaffected"
},
{
"at": "6.3.2-566",
"status": "unaffected"
}
],
"lessThan": "6.3.2-566",
"status": "affected",
"version": "6.3.0",
"versionType": "custom"
},
{
"changes": [
{
"at": "6.2.8-h2",
"status": "unaffected"
}
],
"lessThan": "6.2.8-h2",
"status": "affected",
"version": "6.2.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.2:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.2:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.2:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.2:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.2:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.1:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.1:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.1:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.1:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.1:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.0:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.0:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.0:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.0:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.0:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.7:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.7:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.7:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.7:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.7:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.6:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.6:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.6:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.6:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.6:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.4:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.4:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.4:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.4:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.4:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.3:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.3:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.3:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.3:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.3:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.2:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.2:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.2:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.2:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.2:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.1:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.1:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.1:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.1:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.1:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.0:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.0:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.0:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.0:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.0:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:UWP:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:Linux:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:Android:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:iOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:ChromeOS:*:*",
"cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:UWP:*:*"
],
"defaultStatus": "unaffected",
"platforms": [
"Linux",
"Android",
"iOS",
"Chrome OS",
"UWP"
],
"product": "GlobalProtect App",
"vendor": "Palo Alto Networks",
"versions": [
{
"changes": [
{
"at": "11.2.7",
"status": "unaffected"
}
],
"lessThan": "11.2.7",
"status": "unaffected",
"version": "All",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This issue affects Windows and macOS endpoints with \"Endpoint Traffic Policy Enforcement\" enabled. To verify if you have Endpoint Traffic Policy Enforcement enabled:\u003cbr\u003e\u003cbr\u003e\u003cul\u003e\u003cli\u003eNetwork \u003cb\u003e\u0026gt;\u003c/b\u003e GlobalProtect \u003cb\u003e\u0026gt;\u003c/b\u003e Portals \u003cb\u003e\u0026gt;\u003c/b\u003e (Open Portal configuration) \u003cb\u003e\u0026gt;\u003c/b\u003e Agent tab \u003cb\u003e\u0026gt;\u003c/b\u003e (Open Agent configuration) \u003cb\u003e\u0026gt;\u003c/b\u003e App tab \u003cb\u003e\u0026gt;\u003c/b\u003e App Configurations \u003cb\u003e\u0026gt;\u003c/b\u003e Endpoint Traffic Policy Enforcement \u003cb\u003e\u0026gt;\u003c/b\u003e (Option not set to: \u201cNo\u201d)\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "This issue affects Windows and macOS endpoints with \"Endpoint Traffic Policy Enforcement\" enabled. To verify if you have Endpoint Traffic Policy Enforcement enabled:\n\n * Network \u003e GlobalProtect \u003e Portals \u003e (Open Portal configuration) \u003e Agent tab \u003e (Open Agent configuration) \u003e App tab \u003e App Configurations \u003e Endpoint Traffic Policy Enforcement \u003e (Option not set to: \u201cNo\u201d)"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tan Cheng Ghee of OCBC Bank"
}
],
"datePublic": "2025-06-11T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An improper access control vulnerability in the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/globalprotect/6-0/globalprotect-app-new-features/new-features-released-in-gp-app/endpoint-traffic-policy-enforcement\"\u003eEndpoint Traffic Policy Enforcement\u003c/a\u003e feature of the Palo Alto Networks GlobalProtect\u2122 app allows certain packets to remain unencrypted instead of being properly secured within the tunnel.\u003cbr\u003e\u003cbr\u003eAn attacker with physical access to the network can inject rogue devices to intercept these packets. Under normal operating conditions, the GlobalProtect app automatically recovers from this interception within one minute.\u0026nbsp;"
}
],
"value": "An improper access control vulnerability in the Endpoint Traffic Policy Enforcement https://docs.paloaltonetworks.com/globalprotect/6-0/globalprotect-app-new-features/new-features-released-in-gp-app/endpoint-traffic-policy-enforcement feature of the Palo Alto Networks GlobalProtect\u2122 app allows certain packets to remain unencrypted instead of being properly secured within the tunnel.\n\nAn attacker with physical access to the network can inject rogue devices to intercept these packets. Under normal operating conditions, the GlobalProtect app automatically recovers from this interception within one minute."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"value": "Palo Alto Networks is not aware of any malicious exploitation of this issue."
}
],
"impacts": [
{
"capecId": "CAPEC-117",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-117: Interception"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "PHYSICAL",
"baseScore": 1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:D/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T05:50:52.280Z",
"orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"shortName": "palo_alto"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.paloaltonetworks.com/CVE-2025-4227"
}
],
"solutions": [
{
"lang": "eng",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "1. Upgrade the GlobalProtect App to one of the unaffected versions:\u003cbr\u003e\u003cbr\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eVersion\u003cbr\u003e\u003c/th\u003e\u003cth\u003eMinor Version\u003cbr\u003e\u003c/th\u003e\u003cth\u003eSuggested Solution\u003cbr\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\n \u003ctd\u003eGlobalProtect App 6.3 on Windows, macOS\u003cbr\u003e\u003c/td\u003e\n \u003ctd\u003e6.3.3\u003cbr\u003e6.3.0 through 6.3.2\u003c/td\u003e\n \u003ctd\u003eNo solution available. A 6.3.3 hotfix is planned. (ETA: 12 June 2025).\u003cbr\u003eUpgrade to 6.3.2-566 or later.\u003c/td\u003e\n \u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGlobalProtect App 6.2 on Windows, macOS\u003c/td\u003e\u003ctd\u003e6.2.0\u0026nbsp;through 6.2.8-223\u003c/td\u003e\u003ctd\u003eUpgrade to 6.3.2-566 or later. A new hotfix for 6.2.8 is planned. (ETA: June 2025).\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGlobalProtect App 6.1 on Windows, macOS\u003c/td\u003e\u003ctd\u003eAll\u003c/td\u003e\u003ctd\u003eUpgrade to 6.3.2-566 or later.\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGlobalProtect App 6.0 on Windows, macOS\u003c/td\u003e\u003ctd\u003eAll\u003c/td\u003e\u003ctd\u003eUpgrade to 6.3.2-566 or later.\u003cbr\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eGlobalProtect App on Linux, Android, iOS, Chrome OS, UWP\u003c/td\u003e\u003ctd\u003eAll\u003c/td\u003e\u003ctd\u003eNot applicable.\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e2. Ensure that \"Endpoint Traffic Policy Enforcement\" is set to \u201cAll Traffic\u201d under the GlobalProtect App Configurations.\u003cbr\u003e\u003cul\u003e\u003cli\u003eNetwork \u003cb\u003e\u0026gt;\u003c/b\u003e GlobalProtect \u003cb\u003e\u0026gt;\u003c/b\u003e Portals \u003cb\u003e\u0026gt;\u003c/b\u003e (Open Portal configuration) \u003cb\u003e\u0026gt;\u003c/b\u003e Agent tab \u003cb\u003e\u0026gt;\u003c/b\u003e (Open Agent configuration) \u003cb\u003e\u0026gt;\u003c/b\u003e App tab \u003cb\u003e\u0026gt;\u003c/b\u003e App Configurations \u003cb\u003e\u0026gt;\u003c/b\u003e Endpoint Traffic Policy Enforcement (Select: All Traffic)\u003cbr\u003e\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e3. GlobalProtect Portal: Enable \"Allow Gateway Access from GlobalProtect Only\" (Requires Content version 8977 or newer). This must be enabled in conjunction with \"Endpoint Traffic Policy Enforcement\" under the GlobalProtect App Configurations.\u003cbr\u003e\u003cul\u003e\u003cli\u003eNetwork \u003cb\u003e\u0026gt;\u003c/b\u003e GlobalProtect \u003cb\u003e\u0026gt;\u003c/b\u003e Portals \u003cb\u003e\u0026gt;\u003c/b\u003e (Open Portal configuration) \u003cb\u003e\u0026gt;\u003c/b\u003e Agent tab \u003cb\u003e\u0026gt;\u003c/b\u003e (Open Agent configuration) \u003cb\u003e\u0026gt;\u003c/b\u003e App tab \u003cb\u003e\u0026gt;\u003c/b\u003e App Configurations \u003cb\u003e\u0026gt;\u003c/b\u003e Allow Gateway Access from GlobalProtect Only (Select: Yes)\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e4. Commit your configuration."
}
],
"value": "1. Upgrade the GlobalProtect App to one of the unaffected versions:\n\nVersion\nMinor Version\nSuggested Solution\n\n GlobalProtect App 6.3 on Windows, macOS\n\n 6.3.3\n6.3.0 through 6.3.2\n No solution available. A 6.3.3 hotfix is planned. (ETA: 12 June 2025).\nUpgrade to 6.3.2-566 or later.\n GlobalProtect App 6.2 on Windows, macOS6.2.0\u00a0through 6.2.8-223Upgrade to 6.3.2-566 or later. A new hotfix for 6.2.8 is planned. (ETA: June 2025).\nGlobalProtect App 6.1 on Windows, macOSAllUpgrade to 6.3.2-566 or later.\nGlobalProtect App 6.0 on Windows, macOSAllUpgrade to 6.3.2-566 or later.\nGlobalProtect App on Linux, Android, iOS, Chrome OS, UWPAllNot applicable.\n2. Ensure that \"Endpoint Traffic Policy Enforcement\" is set to \u201cAll Traffic\u201d under the GlobalProtect App Configurations.\n * Network \u003e GlobalProtect \u003e Portals \u003e (Open Portal configuration) \u003e Agent tab \u003e (Open Agent configuration) \u003e App tab \u003e App Configurations \u003e Endpoint Traffic Policy Enforcement (Select: All Traffic)\n\n\n\n\n3. GlobalProtect Portal: Enable \"Allow Gateway Access from GlobalProtect Only\" (Requires Content version 8977 or newer). This must be enabled in conjunction with \"Endpoint Traffic Policy Enforcement\" under the GlobalProtect App Configurations.\n * Network \u003e GlobalProtect \u003e Portals \u003e (Open Portal configuration) \u003e Agent tab \u003e (Open Agent configuration) \u003e App tab \u003e App Configurations \u003e Allow Gateway Access from GlobalProtect Only (Select: Yes)\n\n\n\n4. Commit your configuration."
}
],
"source": {
"defect": [
"GPC-22460"
],
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2025-06-11T16:00:00.000Z",
"value": "Initial Publication"
}
],
"title": "GlobalProtect App: Interception in Endpoint Traffic Policy Enforcement",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ch3\u003eAvailable Mitigation when solution interferes with\u0026nbsp;Autonomous Digital Experience Management (ADEM)\u003c/h3\u003e\u003cul\u003e\u003cli\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/autonomous-dem/administration/autonomous-dem\"\u003eADEM\u003c/a\u003e functionality depends on ICMP probes that must be sent outside of the secure tunnel. When \"Allow Gateway Access from GlobalProtect Only\" is set to \"Yes\" and \"Endpoint Traffic Policy Enforcement\" is configured as \"All Traffic,\" these \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/autonomous-dem/administration/autonomous-dem\"\u003eADEM\u003c/a\u003e probes will fail because they are forcefully transmitted through the encrypted tunnel rather than via their required direct path.\u003c/li\u003e\u003cli\u003eThis issue can be addressed by changing \"Endpoint Traffic Policy Enforcement\" to \"All TCP/UDP Traffic.\" This adjustment prevents interception of TCP and UDP traffic while allowing \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/autonomous-dem/administration/autonomous-dem\"\u003eADEM\u003c/a\u003e probes to function properly. However, this configuration still permits ICMP, and other non-TCP/UDP traffic to be intercepted.\u0026nbsp;\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "Available Mitigation when solution interferes with\u00a0Autonomous Digital Experience Management (ADEM) * ADEM https://docs.paloaltonetworks.com/autonomous-dem/administration/autonomous-dem functionality depends on ICMP probes that must be sent outside of the secure tunnel. When \"Allow Gateway Access from GlobalProtect Only\" is set to \"Yes\" and \"Endpoint Traffic Policy Enforcement\" is configured as \"All Traffic,\" these ADEM https://docs.paloaltonetworks.com/autonomous-dem/administration/autonomous-dem probes will fail because they are forcefully transmitted through the encrypted tunnel rather than via their required direct path.\n * This issue can be addressed by changing \"Endpoint Traffic Policy Enforcement\" to \"All TCP/UDP Traffic.\" This adjustment prevents interception of TCP and UDP traffic while allowing ADEM https://docs.paloaltonetworks.com/autonomous-dem/administration/autonomous-dem probes to function properly. However, this configuration still permits ICMP, and other non-TCP/UDP traffic to be intercepted."
}
],
"x_affectedList": [
"GlobalProtect App 6.3.2",
"GlobalProtect App 6.3.1",
"GlobalProtect App 6.3.0",
"GlobalProtect App 6.3",
"GlobalProtect App 6.2.7",
"GlobalProtect App 6.2.6",
"GlobalProtect App 6.2.4",
"GlobalProtect App 6.2.3",
"GlobalProtect App 6.2.2",
"GlobalProtect App 6.2.1",
"GlobalProtect App 6.2.0",
"GlobalProtect App 6.2",
"GlobalProtect App 6.1.7",
"GlobalProtect App 6.1.6",
"GlobalProtect App 6.1.5",
"GlobalProtect App 6.1.4",
"GlobalProtect App 6.1.3",
"GlobalProtect App 6.1.2",
"GlobalProtect App 6.1.1",
"GlobalProtect App 6.1.0",
"GlobalProtect App 6.1",
"GlobalProtect App 6.0.11",
"GlobalProtect App 6.0.10",
"GlobalProtect App 6.0.8",
"GlobalProtect App 6.0.7",
"GlobalProtect App 6.0.6",
"GlobalProtect App 6.0.5",
"GlobalProtect App 6.0.4",
"GlobalProtect App 6.0.3",
"GlobalProtect App 6.0.2",
"GlobalProtect App 6.0.1",
"GlobalProtect App 6.0.0",
"GlobalProtect App 6.0"
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
"assignerShortName": "palo_alto",
"cveId": "CVE-2025-4227",
"datePublished": "2025-06-13T05:50:52.280Z",
"dateReserved": "2025-05-02T19:10:39.630Z",
"dateUpdated": "2025-06-23T16:06:55.397Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.