Palo Alto GlobalProtect Win: Authenticated Remote XSS Allows RCE via ActiveX
CVE-2025-0118 Published on March 12, 2025
GlobalProtect App: Execution of Unsafe ActiveX Control Vulnerability
A vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a remote attacker to run ActiveX controls within the context of an authenticated Windows user. This enables the attacker to run commands as if they are a legitimate authenticated user. However, to exploit this vulnerability, the authenticated user must navigate to a malicious page during the GlobalProtect SAML login process on a Windows device.
This issue does not apply to the GlobalProtect app on other (non-Windows) platforms.
Weakness Type
Exposed Unsafe ActiveX Method
An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser's security model (e.g. the zone or domain). ActiveX controls can exercise far greater control over the operating system than typical Java or javascript. Exposed methods can be subject to various vulnerabilities, depending on the implemented behaviors of those methods, and whether input validation is performed on the provided arguments. If there is no integrity checking or origin validation, this method could be invoked by attackers.
Products Associated with CVE-2025-0118
Want to know whenever a new CVE is published for Palo Alto Networks Globalprotect? stack.watch will email you.
Affected Versions
Palo Alto Networks GlobalProtect App:- Version 6.3.0 and below 6.3.3 is unaffected.
- Version 6.2.0 and below 6.2.5 is affected.
- Version 6.1.0 and below 6.1.6 is affected.
- Version 6.0.0 and below 6.0.11 is affected.
- Version All and below 6.3.3 is unaffected.
- Version All is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.