Severity by source
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Primary rating from Vendor (palo_alto) · only source for this CVE.
CVSS VectorVendor: palo_alto
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Lifecycle Timeline
4DescriptionCVE.org
Multiple improper certificate validation vulnerabilities in the Palo Alto Networks GlobalProtect™ app enables an attacker to intercept encrypted communications and potentially compromise the endpoint. This can enable a local non-administrative operating system user or an attacker on the same subnet to redirect traffic to an unauthorized server and facilitate the installation of malicious software.
The GlobalProtect app on Linux, Windows, iOS and GlobalProtect UWP app are not affected.
AnalysisAI
Improper certificate validation in Palo Alto Networks GlobalProtect App exposes macOS and Android users to adversary-in-the-middle attacks from locally adjacent network positions, enabling traffic interception and malicious software installation. The flaw allows an unauthenticated attacker on the same subnet - or a local non-administrative OS user - to redirect encrypted VPN communications to a rogue server by bypassing TLS certificate checks. No public exploit has been identified at time of analysis, EPSS is effectively zero, and CISA SSVC rates exploitation as none, though the high confidentiality and integrity impact on the vulnerable component warrants prompt patching on affected platforms.
Technical ContextAI
CWE-295 (Improper Certificate Validation) describes a failure to adequately verify X.509 certificates during TLS handshakes, allowing a forged or unauthorized certificate to be accepted as legitimate. GlobalProtect is Palo Alto Networks' VPN client used to establish secure tunnels to Prisma Access or PAN-OS gateways. The affected CPE is cpe:2.3:a:palo_alto_networks:globalprotect_app across multiple release trains (6.0, 6.1, 6.2, 6.3). Because the app fails to properly validate the server certificate during tunnel establishment or update processes, an attacker who can intercept network traffic - via ARP spoofing, rogue Wi-Fi, or similar adjacent-network techniques - can present a fraudulent certificate that the app accepts, decrypting or manipulating the encrypted channel. The CVSS 4.0 AT:P (attack target prerequisites exist) component reflects the platform-specificity of the flaw: Linux, Windows, iOS, and the UWP variant are explicitly confirmed unaffected, leaving macOS and Android as the vulnerable deployment targets.
RemediationAI
The primary fix is to upgrade GlobalProtect App on macOS and Android endpoints to the patched releases identified by Palo Alto Networks: 6.0.13 or 6.0.14, 6.1.13, 6.2.8-h10, or 6.3.3-h9, depending on the deployed release train. Refer to the vendor advisory at https://security.paloaltonetworks.com/CVE-2026-0249 for exact upgrade instructions and release notes. While patches are being deployed, organizations can reduce exposure by restricting GlobalProtect macOS and Android clients to trusted network segments where adjacent-network interception is not feasible - for example, enforcing VPN initiation only from wired corporate LANs or known Wi-Fi SSIDs with 802.1X authentication. Instructing users to avoid connecting GlobalProtect from untrusted networks (public Wi-Fi, hotel networks) as a temporary policy measure is a low-impact compensating control; however, this conflicts with the primary use case of remote-worker VPN access and is not a sustainable mitigation. Certificate pinning or gateway-side mutual TLS enforcement may provide partial defense but is subject to the same client-side validation flaw. Upgrade remains the only reliable remediation.
More in Globalprotect App
View allLocal privilege escalation vulnerabilities in Palo Alto Networks GlobalProtect App on Windows, macOS, and Linux allow a
Buffer overflow in Palo Alto Networks GlobalProtect App (versions 6.0 through 6.3) allows an adjacent-network attacker p
GlobalProtect app on macOS exposes administrator-configured passcodes - used to restrict disabling, disconnecting, or un
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30100
GHSA-h3p8-5g8q-vm3h