CVE-2025-0118
Published: 12 March 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-0118 is a vulnerability in the Palo Alto Networks GlobalProtect app on Windows that allows a remote attacker to execute ActiveX controls within the context of an authenticated Windows user. This flaw enables the attacker to run arbitrary commands with the privileges of the legitimate authenticated user. The issue is specific to the GlobalProtect app on Windows devices and does not affect the app on other platforms. It has a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-618.
Exploitation requires an authenticated user with low privileges (PR:L) to navigate to a malicious web page during the GlobalProtect SAML login process on a Windows device, involving user interaction (UI:R). A remote attacker (AV:N) can then leverage this to achieve high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H) by executing commands in the user's context, potentially leading to full system compromise for the affected user.
For mitigation details, including available patches, refer to the official Palo Alto Networks security advisory at https://security.paloaltonetworks.com/CVE-2025-0118. The vulnerability was published on 2025-03-12.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in Windows GlobalProtect client enables remote arbitrary command execution via ActiveX when user visits malicious web page during SAML login, directly facilitating T1203 (Exploitation for Client Execution) and T1204.001 (Malicious Link for User Execution).