Palo Alto plugs high-risk loopholes in PAN-OS and GlobalProtect

Palo Alto Networks has issued security notifications regarding vulnerabilities in several products, such as the PAN-OS operating system or the GlobalProtect app. Attackers can abuse the vulnerabilities to inject and execute commands with elevated privileges, inject and execute malicious code or view unauthorized traffic.

The manufacturer plays down the risk of the vulnerabilities in its announcements, as it only uses the classification over time (CVSS-BT) and not that for the acute risk (CVSS-B), which is always higher and which other manufacturers also use. Palo Alto reports three security vulnerabilities in the PAN-OS operating system, two of which are high-risk. Authenticated administrative users can perform actions as “root” users due to a command injection vulnerability. The risk is greater if the management interface is accessible on the Internet (CVE-2025-4231 / no EUVD yet, CVSS 8.6, risk “high”). PAN-OS 11.0.3 and 10.2.8 and newer correct the problem.

The second command-smuggling vulnerability in PAN-OS is similar and also allows bypassing security restrictions and executing arbitrary commands as “root”. Attackers must be authenticated and have access to the command line interface (CVE-2025-4230 / no EUVD yet, CVSS 8.4, risk “high”). PAN-OS 11.2.6, 11.1.10, 10.2.14 and 10.1.14-h15 and newer versions patch the vulnerability; admins with older versions should migrate to these supported versions. The SD-WAN feature of PAN-OS also has a vulnerability that allows unauthorized people to view unencrypted data that the firewall sends through the SD-WAN interface (CVE-2025-4229, CVSS 6.0, risk “medium”). PAN-OS 11.2.7 (to be released in June), 11.1.10, 10.2.17 and 10.1.14-h16 (expected in July) seal the leak.

GlobalProtect vulnerabilities

In the VPN client GlobalProtect, the log function under macOS does not filter some characters correctly, allowing non-admins to escalate their rights to “root” (CVE-2025-4232, CVSS 8.5, risk “high”). The GlobalProtect app 6.3.3 and 6.2.8h2 (expected in June) for Mac plug the gap. Due to insufficient access control, some packets may remain unencrypted instead of being properly secured via the VPN tunnel (CVE-2025-4227, CVSS 2.0, risk “low”). GlobalProtect 6.3.2-566, 6.3.3-h1 and 6.2.8-h2, the last two of which are expected in June, for macOS and Windows fix the bug.

In addition, a vulnerability in Palo Alto Networks Cortex XDR Broker VM allows authenticated admins to execute certain files in the broker VM and thereby extend their rights to “root” (CVE-2025-4228 / no EUVD yet, CVSS 4.6, risk “medium”).

The security messages from Palo Alto Networks in detail:

• PAN-OS: Authenticated Admin Command Injection Vulnerability in the Management Web Interface, CVE-2025-4231, CVSS 8.6, risk“high”
• PAN-OS: Authenticated Admin Command Injection Vulnerability Through CLI, CVE-2025-4230, CVSS 8.4, risk “high”
• PAN-OS: Traffic Information Disclosure Vulnerability, CVE-2025-4229, CVSS 6.0, risk“medium”
• GlobalProtect: Authenticated Code Injection Through Wildcard on macOS, CVE-2025-4232, CVSS 8.5, risk “high”
• GlobalProtect App: Interception in Endpoint Traffic Policy Enforcement, CVE-2025-4227, CVSS 2.0, risk“low”
• Cortex XDR Broker VM: Privilege Escalation (PE) Vulnerability, CVE-2025-4228, CVSS 4.6, risk “medium”

Palo Alto Networks last patched several vulnerabilities in mid-May, including in the PAN-OS firewall operating system.

(dmk)