CVE-2025-0117 is a vulnerability classified under CWE-807, indicating reliance on untrusted inputs in a security decision within the Palo Alto Networks GlobalProtect App for Windows. The flaw affects versions 6.0.0 through 6.3.0 of the Windows client. The vulnerability arises because the application improperly trusts input that can be influenced by a locally authenticated non-administrative user, allowing them to escalate privileges to NT AUTHORITY\SYSTEM, the highest privilege level on Windows systems. This escalation bypasses intended access controls, enabling full control over the affected system. The vulnerability does not affect GlobalProtect clients on other platforms such as macOS, Linux, iOS, Android, Chrome OS, or the UWP app. Exploitation requires local access and some user interaction but no administrative rights, making it a significant threat in environments where users have local accounts but limited privileges. The CVSS 4.0 vector indicates low attack complexity and partial user interaction, with no requirement for prior authentication beyond local user access. No public exploits are known at this time, but the potential for privilege escalation makes this a critical issue for organizations relying on GlobalProtect for VPN and network security. The vulnerability was published on March 12, 2025, and is currently unpatched as no patch links are provided.

The primary impact of CVE-2025-0117 is local privilege escalation on Windows devices running vulnerable versions of the GlobalProtect App. An attacker with a non-administrative local account can gain SYSTEM-level privileges, effectively taking full control of the device. This can lead to unauthorized access to sensitive data, installation of persistent malware, disabling of security controls, and lateral movement within corporate networks. For organizations, this undermines the security assurances provided by GlobalProtect, potentially exposing critical infrastructure and confidential information. The vulnerability is particularly concerning in environments where endpoint devices are shared or where users have limited but non-zero local privileges. Since GlobalProtect is widely used in enterprise VPN solutions, the scope of affected systems is substantial. Although exploitation requires local access, the ease of privilege escalation increases the risk of insider threats and post-compromise attacks. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability remains a high-risk vector until patched.

Organizations should immediately audit their Windows endpoints to identify installations of GlobalProtect versions 6.0.0 through 6.3.0. Until a patch is released, apply the following mitigations: restrict local user account privileges to the minimum necessary, disable or limit local user interaction on sensitive systems, and enforce strict endpoint security policies including application whitelisting and behavior monitoring to detect suspicious privilege escalation attempts. Employ endpoint detection and response (EDR) solutions to monitor for unusual process behavior indicative of exploitation. Network segmentation can limit lateral movement if a device is compromised. Coordinate with Palo Alto Networks for timely patch deployment once available. Additionally, educate users about the risks of local privilege escalation and enforce strong local account management policies. Regularly review and update VPN client software to the latest secure versions to reduce exposure to known vulnerabilities.