{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-4227","assignerOrgId":"d6c1279f-00f6-4ef7-9217-f89ffe703ec0","state":"PUBLISHED","assignerShortName":"palo_alto","dateReserved":"2025-05-02T19:10:39.630Z","datePublished":"2025-06-13T05:50:52.280Z","dateUpdated":"2025-06-23T16:06:55.397Z"},"containers":{"cna":{"affected":[{"cpes":["cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.2:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.2:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.1:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.1:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.0:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.0:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.7:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.7:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.6:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.6:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.4:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.4:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.3:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.3:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.2:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.2:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.1:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.1:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.0:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.0:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:macOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:Windows:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:macOS:*:*"],"defaultStatus":"unaffected","platforms":["Windows","macOS"],"product":"GlobalProtect App","vendor":"Palo Alto Networks","versions":[{"changes":[{"at":"6.3.3-h1","status":"unaffected"},{"at":"6.3.2-566","status":"unaffected"}],"lessThan":"6.3.2-566","status":"affected","version":"6.3.0","versionType":"custom"},{"changes":[{"at":"6.2.8-h2","status":"unaffected"}],"lessThan":"6.2.8-h2","status":"affected","version":"6.2.0","versionType":"custom"},{"status":"affected","version":"6.1.0","versionType":"custom"},{"status":"affected","version":"6.0.0","versionType":"custom"}]},{"cpes":["cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.2:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.2:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.2:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.2:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.2:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.1:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.1:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.1:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.1:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.1:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.0:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.0:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.0:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.0:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.3.0:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.7:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.7:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.7:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.7:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.7:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.6:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.6:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.6:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.6:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.6:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.4:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.4:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.4:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.4:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.4:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.3:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.3:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.3:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.3:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.3:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.2:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.2:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.2:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.2:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.2:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.1:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.1:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.1:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.1:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.1:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.0:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.0:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.0:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.0:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.2.0:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.7:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.6:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.5:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.4:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.3:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.2:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.1:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.1.0:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.11:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.10:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.8:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.7:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.6:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.5:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.4:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.3:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.2:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.1:*:*:*:*:UWP:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:Linux:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:Android:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:iOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:ChromeOS:*:*","cpe:2.3:a:palo_alto_networks:globalprotect_app:6.0.0:*:*:*:*:UWP:*:*"],"defaultStatus":"unaffected","platforms":["Linux","Android","iOS","Chrome OS","UWP"],"product":"GlobalProtect App","vendor":"Palo Alto Networks","versions":[{"changes":[{"at":"11.2.7","status":"unaffected"}],"lessThan":"11.2.7","status":"unaffected","version":"All","versionType":"custom"}]}],"configurations":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"This issue affects Windows and macOS endpoints with \"Endpoint Traffic Policy Enforcement\" enabled. To verify if you have Endpoint Traffic Policy Enforcement enabled:<br><br><ul><li>Network <b>&gt;</b> GlobalProtect <b>&gt;</b> Portals <b>&gt;</b> (Open Portal configuration) <b>&gt;</b> Agent tab <b>&gt;</b> (Open Agent configuration) <b>&gt;</b> App tab <b>&gt;</b> App Configurations <b>&gt;</b>  Endpoint Traffic Policy Enforcement <b>&gt;</b> (Option not set to: “No”)</li></ul>"}],"value":"This issue affects Windows and macOS endpoints with \"Endpoint Traffic Policy Enforcement\" enabled. To verify if you have Endpoint Traffic Policy Enforcement enabled:\n\n  *  Network > GlobalProtect > Portals > (Open Portal configuration) > Agent tab > (Open Agent configuration) > App tab > App Configurations >  Endpoint Traffic Policy Enforcement > (Option not set to: “No”)"}],"credits":[{"lang":"en","type":"finder","value":"Tan Cheng Ghee of OCBC Bank"}],"datePublic":"2025-06-11T16:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"An improper access control vulnerability in the <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/globalprotect/6-0/globalprotect-app-new-features/new-features-released-in-gp-app/endpoint-traffic-policy-enforcement\">Endpoint Traffic Policy Enforcement</a> feature of the Palo Alto Networks GlobalProtect™ app allows certain packets to remain unencrypted instead of being properly secured within the tunnel.<br><br>An attacker with physical access to the network can inject rogue devices to intercept these packets. Under normal operating conditions, the GlobalProtect app automatically recovers from this interception within one minute.&nbsp;"}],"value":"An improper access control vulnerability in the  Endpoint Traffic Policy Enforcement https://docs.paloaltonetworks.com/globalprotect/6-0/globalprotect-app-new-features/new-features-released-in-gp-app/endpoint-traffic-policy-enforcement  feature of the Palo Alto Networks GlobalProtect™ app allows certain packets to remain unencrypted instead of being properly secured within the tunnel.\n\nAn attacker with physical access to the network can inject rogue devices to intercept these packets. Under normal operating conditions, the GlobalProtect app automatically recovers from this interception within one minute."}],"exploits":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Palo Alto Networks is not aware of any malicious exploitation of this issue."}],"value":"Palo Alto Networks is not aware of any malicious exploitation of this issue."}],"impacts":[{"capecId":"CAPEC-117","descriptions":[{"lang":"en","value":"CAPEC-117: Interception"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NO","Recovery":"USER","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"PRESENT","attackVector":"PHYSICAL","baseScore":1,"baseSeverity":"LOW","privilegesRequired":"NONE","providerUrgency":"GREEN","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"ACTIVE","valueDensity":"DIFFUSE","vectorString":"CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:D/RE:L/U:Green","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"LOW"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-319","description":"CWE-319 Cleartext Transmission of Sensitive Information","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"d6c1279f-00f6-4ef7-9217-f89ffe703ec0","shortName":"palo_alto","dateUpdated":"2025-06-13T05:50:52.280Z"},"references":[{"tags":["vendor-advisory"],"url":"https://security.paloaltonetworks.com/CVE-2025-4227"}],"solutions":[{"lang":"eng","supportingMedia":[{"base64":false,"type":"text/html","value":"1. Upgrade the GlobalProtect App to one of the unaffected versions:<br><br><table><thead><tr><th>Version<br></th><th>Minor Version<br></th><th>Suggested Solution<br></th></tr></thead><tbody><tr>\n                                    <td>GlobalProtect App 6.3 on Windows, macOS<br></td>\n                                    <td>6.3.3<br>6.3.0 through 6.3.2</td>\n                                    <td>No solution available. A 6.3.3 hotfix is planned. (ETA: 12 June 2025).<br>Upgrade to 6.3.2-566 or later.</td>\n                                </tr><tr><td>GlobalProtect App 6.2 on Windows, macOS</td><td>6.2.0&nbsp;through 6.2.8-223</td><td>Upgrade to 6.3.2-566 or later. A new hotfix for 6.2.8 is planned. (ETA: June 2025).<br></td></tr><tr><td>GlobalProtect App 6.1 on Windows, macOS</td><td>All</td><td>Upgrade to 6.3.2-566 or later.<br></td></tr><tr><td>GlobalProtect App 6.0 on Windows, macOS</td><td>All</td><td>Upgrade to 6.3.2-566 or later.<br></td></tr><tr><td>GlobalProtect App on Linux, Android, iOS, Chrome OS, UWP</td><td>All</td><td>Not applicable.</td></tr></tbody></table><br>2. Ensure that \"Endpoint Traffic Policy Enforcement\" is set to “All Traffic” under the GlobalProtect App Configurations.<br><ul><li>Network <b>&gt;</b> GlobalProtect <b>&gt;</b> Portals <b>&gt;</b> (Open Portal configuration) <b>&gt;</b> Agent tab <b>&gt;</b> (Open Agent configuration) <b>&gt;</b> App tab <b>&gt;</b> App Configurations <b>&gt;</b>  Endpoint Traffic Policy Enforcement (Select: All Traffic)<br><br></li></ul>3. GlobalProtect Portal: Enable \"Allow Gateway Access from GlobalProtect Only\" (Requires Content version 8977 or newer). This must be enabled in conjunction with \"Endpoint Traffic Policy Enforcement\" under the GlobalProtect App Configurations.<br><ul><li>Network <b>&gt;</b> GlobalProtect <b>&gt;</b> Portals <b>&gt;</b> (Open Portal configuration) <b>&gt;</b> Agent tab <b>&gt;</b> (Open Agent configuration) <b>&gt;</b> App tab <b>&gt;</b> App Configurations <b>&gt;</b>  Allow Gateway Access from GlobalProtect Only (Select: Yes)<br></li></ul>4. Commit your configuration."}],"value":"1. Upgrade the GlobalProtect App to one of the unaffected versions:\n\nVersion\nMinor Version\nSuggested Solution\n\n                                    GlobalProtect App 6.3 on Windows, macOS\n\n                                    6.3.3\n6.3.0 through 6.3.2\n                                    No solution available. A 6.3.3 hotfix is planned. (ETA: 12 June 2025).\nUpgrade to 6.3.2-566 or later.\n                                GlobalProtect App 6.2 on Windows, macOS6.2.0 through 6.2.8-223Upgrade to 6.3.2-566 or later. A new hotfix for 6.2.8 is planned. (ETA: June 2025).\nGlobalProtect App 6.1 on Windows, macOSAllUpgrade to 6.3.2-566 or later.\nGlobalProtect App 6.0 on Windows, macOSAllUpgrade to 6.3.2-566 or later.\nGlobalProtect App on Linux, Android, iOS, Chrome OS, UWPAllNot applicable.\n2. Ensure that \"Endpoint Traffic Policy Enforcement\" is set to “All Traffic” under the GlobalProtect App Configurations.\n  *  Network > GlobalProtect > Portals > (Open Portal configuration) > Agent tab > (Open Agent configuration) > App tab > App Configurations >  Endpoint Traffic Policy Enforcement (Select: All Traffic)\n\n\n\n\n3. GlobalProtect Portal: Enable \"Allow Gateway Access from GlobalProtect Only\" (Requires Content version 8977 or newer). This must be enabled in conjunction with \"Endpoint Traffic Policy Enforcement\" under the GlobalProtect App Configurations.\n  *  Network > GlobalProtect > Portals > (Open Portal configuration) > Agent tab > (Open Agent configuration) > App tab > App Configurations >  Allow Gateway Access from GlobalProtect Only (Select: Yes)\n\n\n\n4. Commit your configuration."}],"source":{"defect":["GPC-22460"],"discovery":"EXTERNAL"},"timeline":[{"lang":"en","time":"2025-06-11T16:00:00.000Z","value":"Initial Publication"}],"title":"GlobalProtect App: Interception in Endpoint Traffic Policy Enforcement","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<h3>Available Mitigation when solution interferes with&nbsp;Autonomous Digital Experience Management (ADEM)</h3><ul><li><a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/autonomous-dem/administration/autonomous-dem\">ADEM</a> functionality depends on ICMP probes that must be sent outside of the secure tunnel. When \"Allow Gateway Access from GlobalProtect Only\" is set to \"Yes\" and \"Endpoint Traffic Policy Enforcement\" is configured as \"All Traffic,\" these <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/autonomous-dem/administration/autonomous-dem\">ADEM</a> probes will fail because they are forcefully transmitted through the encrypted tunnel rather than via their required direct path.</li><li>This issue can be addressed by changing \"Endpoint Traffic Policy Enforcement\" to \"All TCP/UDP Traffic.\" This adjustment prevents interception of TCP and UDP traffic while allowing <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.paloaltonetworks.com/autonomous-dem/administration/autonomous-dem\">ADEM</a> probes to function properly. However, this configuration still permits ICMP, and other non-TCP/UDP traffic to be intercepted.&nbsp;<br></li></ul>"}],"value":"Available Mitigation when solution interferes with Autonomous Digital Experience Management (ADEM)  *   ADEM https://docs.paloaltonetworks.com/autonomous-dem/administration/autonomous-dem  functionality depends on ICMP probes that must be sent outside of the secure tunnel. When \"Allow Gateway Access from GlobalProtect Only\" is set to \"Yes\" and \"Endpoint Traffic Policy Enforcement\" is configured as \"All Traffic,\" these  ADEM https://docs.paloaltonetworks.com/autonomous-dem/administration/autonomous-dem  probes will fail because they are forcefully transmitted through the encrypted tunnel rather than via their required direct path.\n  *  This issue can be addressed by changing \"Endpoint Traffic Policy Enforcement\" to \"All TCP/UDP Traffic.\" This adjustment prevents interception of TCP and UDP traffic while allowing  ADEM https://docs.paloaltonetworks.com/autonomous-dem/administration/autonomous-dem  probes to function properly. However, this configuration still permits ICMP, and other non-TCP/UDP traffic to be intercepted."}],"x_affectedList":["GlobalProtect App 6.3.2","GlobalProtect App 6.3.1","GlobalProtect App 6.3.0","GlobalProtect App 6.3","GlobalProtect App 6.2.7","GlobalProtect App 6.2.6","GlobalProtect App 6.2.4","GlobalProtect App 6.2.3","GlobalProtect App 6.2.2","GlobalProtect App 6.2.1","GlobalProtect App 6.2.0","GlobalProtect App 6.2","GlobalProtect App 6.1.7","GlobalProtect App 6.1.6","GlobalProtect App 6.1.5","GlobalProtect App 6.1.4","GlobalProtect App 6.1.3","GlobalProtect App 6.1.2","GlobalProtect App 6.1.1","GlobalProtect App 6.1.0","GlobalProtect App 6.1","GlobalProtect App 6.0.11","GlobalProtect App 6.0.10","GlobalProtect App 6.0.8","GlobalProtect App 6.0.7","GlobalProtect App 6.0.6","GlobalProtect App 6.0.5","GlobalProtect App 6.0.4","GlobalProtect App 6.0.3","GlobalProtect App 6.0.2","GlobalProtect App 6.0.1","GlobalProtect App 6.0.0","GlobalProtect App 6.0"],"x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-06-13T18:50:08.392375Z","id":"CVE-2025-4227","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-06-23T16:06:55.397Z"}}]}}