Cyber Resilience

CVE-2025-0118

Medium

Published: 12 March 2025

Published
12 March 2025
Modified
27 June 2025
KEV Added
Patch
CVSS Score v4 6.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:L/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
EPSS Score 0.0099 77.3th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0118 is a medium-severity Exposed Unsafe ActiveX Method (CWE-618) vulnerability in Paloaltonetworks Globalprotect. Its CVSS base score is 6.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 22.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-0118 is a vulnerability in the Palo Alto Networks GlobalProtect app on Windows that allows a remote attacker to execute ActiveX controls within the context of an authenticated Windows user. This flaw enables the attacker to run arbitrary commands with the privileges of the legitimate authenticated user. The issue is specific to the GlobalProtect app on Windows devices and does not affect the app on other platforms. It has a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-618.

Exploitation requires an authenticated user with low privileges (PR:L) to navigate to a malicious web page during the GlobalProtect SAML login process on a Windows device, involving user interaction (UI:R). A remote attacker (AV:N) can then leverage this to achieve high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H) by executing commands in the user's context, potentially leading to full system compromise for the affected user.

For mitigation details, including available patches, refer to the official Palo Alto Networks security advisory at https://security.paloaltonetworks.com/CVE-2025-0118. The vulnerability was published on 2025-03-12.

EU & UK References

Vulnerability details

A vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a remote attacker to run ActiveX controls within the context of an authenticated Windows user. This enables the attacker to run commands as if they are a legitimate…

more

authenticated user. However, to exploit this vulnerability, the authenticated user must navigate to a malicious page during the GlobalProtect SAML login process on a Windows device. This issue does not apply to the GlobalProtect app on other (non-Windows) platforms.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

Vulnerability in Windows GlobalProtect client enables remote arbitrary command execution via ActiveX when user visits malicious web page during SAML login, directly facilitating T1203 (Exploitation for Client Execution) and T1204.001 (Malicious Link for User Execution).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0227Same product class: VPN / SSL gateway
CVE-2024-3400Same product class: VPN / SSL gateway
CVE-2025-0111Same product class: VPN / SSL gateway
CVE-2026-0257Same product class: VPN / SSL gateway
CVE-2025-0108Same product class: VPN / SSL gateway
CVE-2025-0114Same product class: VPN / SSL gateway
CVE-2026-0300Same product class: VPN / SSL gateway
CVE-2016-5195Same product class: VPN / SSL gateway
CVE-2026-27197Same product class: VPN / SSL gateway
CVE-2026-3055Same product class: VPN / SSL gateway

Affected Assets

paloaltonetworks
globalprotect
6.0.0 — 6.0.11 · 6.1.0 — 6.1.6 · 6.2.0 — 6.2.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the vulnerability by requiring timely flaw remediation, including patching the GlobalProtect app as specified in the Palo Alto Networks advisory.

prevent

Protects against unauthorized execution of mobile code technologies like ActiveX controls exploited during the GlobalProtect SAML login process.

preventdetect

Deploys malicious code protection mechanisms on Windows endpoints to scan for and block arbitrary command execution via exploited ActiveX controls.

References