CVE-2024-5915 Overview
CVE-2024-5915 is a privilege escalation vulnerability in the Palo Alto Networks GlobalProtect application on Windows. The flaw allows a local user to execute programs with elevated privileges on an affected endpoint. The root cause is an incorrect permission assignment for a critical resource [CWE-732], which exposes a path for a low-privileged attacker to gain higher privileges on the host.
The vulnerability affects GlobalProtect deployments running on Windows, including version 6.3.0 and earlier releases identified in the vendor advisory. Successful exploitation requires local access but no user interaction.
Critical Impact
A local, authenticated user can leverage insecure permissions in the GlobalProtect Windows client to run code at elevated privilege, undermining endpoint trust boundaries and enabling further lateral movement.
Affected Products
- Palo Alto Networks GlobalProtect app for Windows (version 6.3.0)
- Earlier Windows GlobalProtect releases listed in the vendor advisory
- Windows endpoints with vulnerable GlobalProtect installations
Discovery Timeline
- 2024-08-14 - CVE-2024-5915 published to NVD
- 2024-08-20 - Last updated in NVD database
Technical Details for CVE-2024-5915
Vulnerability Analysis
The vulnerability stems from incorrect permission assignment on a critical resource used by the GlobalProtect Windows client. GlobalProtect runs components with SYSTEM privileges to manage VPN tunneling, certificate handling, and host configuration. When supporting files, directories, or registry keys controlled by these privileged components are writable by non-administrative users, a local attacker can modify or replace them to influence privileged execution.
The weakness is categorized under [CWE-732] Incorrect Permission Assignment for Critical Resource. Attack complexity is low because exploitation does not require defeating memory protections or chaining additional bugs. The attacker only needs an existing low-privileged session on the host.
Root Cause
GlobalProtect installs files or sets access control entries that grant write or modify permissions to standard users on resources later consumed by a higher-privileged service. When the privileged process loads, executes, or reads from those resources, attacker-controlled content can be processed in a SYSTEM context. The vendor advisory tracks this as a permissions issue resolved by tightening access control on affected resources.
Attack Vector
Exploitation is local. An attacker with valid credentials on the Windows endpoint identifies a writable GlobalProtect resource, plants a malicious payload or alters a configuration value, and triggers the privileged GlobalProtect service to act on it. The result is arbitrary code execution at elevated privilege without administrator credentials. Refer to the Palo Alto Networks Security Advisory for vendor-confirmed technical context.
Detection Methods for CVE-2024-5915
Indicators of Compromise
- Unexpected file writes or replacements in GlobalProtect installation directories by non-administrative user accounts.
- New or modified executables, DLLs, or scripts located in GlobalProtect-controlled paths immediately preceding SYSTEM-context process creation.
- GlobalProtect services launching child processes that are not part of normal client operation, such as command shells or scripting engines.
Detection Strategies
- Hunt for process lineage where PanGPS.exe or related GlobalProtect services spawn cmd.exe, powershell.exe, or other interactive interpreters.
- Alert on standard users writing to directories or registry keys owned by GlobalProtect that should be modifiable only by administrators.
- Correlate privilege transitions from medium or low integrity processes to SYSTEM integrity through GlobalProtect components.
Monitoring Recommendations
- Enable Windows object access auditing on GlobalProtect installation paths to capture writes by non-privileged principals.
- Track installed GlobalProtect versions across the fleet and flag hosts running releases listed as vulnerable in the vendor advisory.
- Forward endpoint telemetry to a centralized analytics platform so privilege escalation chains can be reconstructed across hosts.
How to Mitigate CVE-2024-5915
Immediate Actions Required
- Inventory all Windows endpoints running GlobalProtect and identify versions matching those listed in the vendor advisory.
- Apply the fixed GlobalProtect Windows release published by Palo Alto Networks as soon as change controls allow.
- Restrict interactive logon on high-value endpoints to reduce the population of users able to exercise a local attack vector.
- Review and remove unnecessary local user accounts that could be leveraged for local privilege escalation.
Patch Information
Palo Alto Networks has published fixed versions of the GlobalProtect Windows client. Refer to the Palo Alto Networks Security Advisory for the specific fixed release numbers and upgrade guidance. Deploy the patched client through your standard software distribution channel and verify the installed version on each host post-deployment.
Workarounds
- Where immediate patching is not possible, tighten file system and registry ACLs on GlobalProtect resources to remove write permissions for non-administrative users, following vendor guidance.
- Limit local user privileges and enforce application allowlisting to block unauthorized binaries from executing within GlobalProtect-controlled paths.
- Monitor GlobalProtect service activity closely until the patched version is deployed across the environment.
# Verify installed GlobalProtect version on Windows
reg query "HKLM\SOFTWARE\Palo Alto Networks\GlobalProtect" /v Version
# Audit ACLs on the GlobalProtect installation directory
icacls "C:\Program Files\Palo Alto Networks\GlobalProtect"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
