CVE-2025-0118
Published: 12 March 2025
Summary
CVE-2025-0118 is a high-severity Exposed Unsafe ActiveX Method (CWE-618) vulnerability in Paloaltonetworks Globalprotect. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 23.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the vulnerability by requiring timely flaw remediation, including patching the GlobalProtect app as specified in the Palo Alto Networks advisory.
Protects against unauthorized execution of mobile code technologies like ActiveX controls exploited during the GlobalProtect SAML login process.
Deploys malicious code protection mechanisms on Windows endpoints to scan for and block arbitrary command execution via exploited ActiveX controls.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in Windows GlobalProtect client enables remote arbitrary command execution via ActiveX when user visits malicious web page during SAML login, directly facilitating T1203 (Exploitation for Client Execution) and T1204.001 (Malicious Link for User Execution).
NVD Description
A vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a remote attacker to run ActiveX controls within the context of an authenticated Windows user. This enables the attacker to run commands as if they are a legitimate…
more
authenticated user. However, to exploit this vulnerability, the authenticated user must navigate to a malicious page during the GlobalProtect SAML login process on a Windows device. This issue does not apply to the GlobalProtect app on other (non-Windows) platforms.
Deeper analysisAI
CVE-2025-0118 is a vulnerability in the Palo Alto Networks GlobalProtect app on Windows that allows a remote attacker to execute ActiveX controls within the context of an authenticated Windows user. This flaw enables the attacker to run arbitrary commands with the privileges of the legitimate authenticated user. The issue is specific to the GlobalProtect app on Windows devices and does not affect the app on other platforms. It has a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-618.
Exploitation requires an authenticated user with low privileges (PR:L) to navigate to a malicious web page during the GlobalProtect SAML login process on a Windows device, involving user interaction (UI:R). A remote attacker (AV:N) can then leverage this to achieve high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H) by executing commands in the user's context, potentially leading to full system compromise for the affected user.
For mitigation details, including available patches, refer to the official Palo Alto Networks security advisory at https://security.paloaltonetworks.com/CVE-2025-0118. The vulnerability was published on 2025-03-12.
Details
- CWE(s)