CVE-2025-0141 is an untrusted search path vulnerability (CWE-426) found in Palo Alto Networks GlobalProtect App versions 6.0.0 through 6.3.0 on macOS, Linux, and Windows platforms. The vulnerability stems from the application incorrectly assigning privileges and improperly handling the search path for executables or libraries, allowing a locally authenticated user with limited privileges to escalate to root on Unix-like systems or NT AUTHORITY\SYSTEM on Windows. This escalation occurs without requiring user interaction, making it a potent local privilege escalation vector. The vulnerability does not affect GlobalProtect versions on iOS, Android, Chrome OS, or the UWP app. The CVSS 4.0 base score is 8.4, reflecting high severity due to the ease of exploitation by a local attacker, the high impact on confidentiality, integrity, and availability, and the lack of required user interaction. While no public exploits have been reported yet, the vulnerability could be leveraged by malicious insiders or attackers who have gained limited local access to critical enterprise endpoints. The flaw highlights the risks of improper privilege assignment and the importance of secure search path handling in security-sensitive applications like VPN clients.

The vulnerability allows a local non-administrative user to gain full system privileges, which can lead to complete system compromise. Attackers could install persistent malware, disable security controls, exfiltrate sensitive data, or disrupt network connectivity by manipulating the GlobalProtect VPN client. Since GlobalProtect is widely deployed in enterprises for secure remote access, exploitation could undermine network security, allowing attackers to bypass perimeter defenses. The impact is especially severe in environments where endpoint security is critical, such as government, financial, healthcare, and critical infrastructure sectors. The ability to escalate privileges without user interaction increases the risk of automated or stealthy attacks. Organizations relying on GlobalProtect for VPN access may face increased risk of insider threats or lateral movement by attackers who have gained initial footholds on endpoints.

Organizations should immediately inventory their GlobalProtect App deployments to identify affected versions (6.0.0 to 6.3.0) on macOS, Linux, and Windows. Although no patches are currently linked, monitoring Palo Alto Networks advisories for updates or hotfixes is critical. Until patches are available, restrict local user permissions to prevent untrusted users from executing arbitrary code or modifying search paths. Implement application whitelisting and endpoint detection and response (EDR) solutions to detect suspicious privilege escalation attempts. Enforce strict local account management policies, including disabling unnecessary local accounts and limiting software installation rights. Conduct regular audits of installed software and system configurations to detect unauthorized changes. Network segmentation and multi-factor authentication for VPN access can reduce the risk of compromised credentials being leveraged alongside this vulnerability. Finally, educate users about the risks of local privilege escalation and the importance of reporting unusual system behavior.