CVE-2025-0118 Overview
A vulnerability exists in the Palo Alto Networks GlobalProtect app on Windows that allows a remote attacker to run ActiveX controls within the context of an authenticated Windows user. This enables the attacker to execute commands as if they are a legitimate authenticated user. The vulnerability requires user interaction—specifically, the authenticated user must navigate to a malicious page during the GlobalProtect SAML login process on a Windows device.
This vulnerability is specific to the Windows platform and does not affect GlobalProtect installations on macOS, Linux, iOS, or Android.
Critical Impact
Remote attackers can execute arbitrary ActiveX controls and commands with the privileges of an authenticated Windows user during the SAML authentication flow.
Affected Products
- Palo Alto Networks GlobalProtect for Windows
- GlobalProtect versions prior to patched releases (see vendor advisory for specific version ranges)
Discovery Timeline
- March 12, 2025 - CVE-2025-0118 published to NVD
- June 27, 2025 - Last updated in NVD database
Technical Details for CVE-2025-0118
Vulnerability Analysis
This vulnerability is classified under CWE-618 (Exposed Dangerous Method or Function). The GlobalProtect app on Windows exposes ActiveX control functionality in a manner that can be exploited during the SAML login process. When a user authenticates using SAML, the application renders web content that, if manipulated by an attacker, can execute arbitrary ActiveX controls.
The attack requires the victim to navigate to a malicious page during the authentication flow, making it a network-based attack that requires user interaction. The vulnerability allows attackers to leverage the authenticated user's privileges to run commands, potentially leading to data exfiltration, lateral movement, or further system compromise.
Root Cause
The root cause stems from improper exposure of dangerous ActiveX methods within the GlobalProtect app's SAML authentication workflow on Windows. The application fails to adequately restrict which ActiveX controls can be instantiated and executed when rendering web content during the login process.
ActiveX controls have historically been a significant attack surface in Windows environments due to their deep system integration capabilities. The GlobalProtect application's web rendering component during SAML authentication does not properly sanitize or restrict ActiveX instantiation, allowing malicious web pages to trigger arbitrary control execution.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker must craft a malicious web page and trick an authenticated user into visiting it during the GlobalProtect SAML login flow. The attack sequence involves:
- The attacker prepares a malicious web page containing crafted ActiveX control invocations
- The victim initiates a GlobalProtect SAML authentication session on their Windows device
- Through phishing, DNS manipulation, or other redirection techniques, the attacker causes the victim to load the malicious page within the authentication context
- The ActiveX controls execute with the privileges of the authenticated Windows user
The vulnerability leverages the trust relationship established during the SAML authentication process, where the GlobalProtect application renders web content with elevated privileges.
Detection Methods for CVE-2025-0118
Indicators of Compromise
- Unusual ActiveX control instantiation events associated with PanGPS.exe or related GlobalProtect processes
- Network connections to unexpected external domains during GlobalProtect SAML authentication
- Suspicious child processes spawned by GlobalProtect application components
- Anomalous command execution patterns originating from GlobalProtect-related processes
Detection Strategies
- Monitor Windows Event Logs for unusual COM/ActiveX object instantiation events during GlobalProtect sessions
- Implement network monitoring to detect connections to suspicious or unknown domains during SAML authentication flows
- Deploy endpoint detection rules to alert on unexpected child processes spawned by GlobalProtect executables
- Enable enhanced logging for SAML authentication events in GlobalProtect
Monitoring Recommendations
- Configure SentinelOne to monitor for suspicious process behavior related to GlobalProtect components
- Implement DNS query logging to identify potentially malicious redirections during authentication
- Enable Windows Security Event logging (Event ID 4688) for process creation auditing
- Review GlobalProtect application logs for authentication anomalies
How to Mitigate CVE-2025-0118
Immediate Actions Required
- Update Palo Alto Networks GlobalProtect for Windows to the latest patched version immediately
- Review the Palo Alto Networks Security Advisory for specific version guidance
- Educate users about the risks of navigating to unknown pages during VPN authentication
- Consider implementing network segmentation to limit potential lateral movement
Patch Information
Palo Alto Networks has released security patches addressing this vulnerability. Organizations should consult the official Palo Alto Networks advisory for the specific patched versions and download links. Prioritize patching all Windows endpoints running the GlobalProtect application.
Workarounds
- Implement strict web filtering policies to block access to known malicious domains during authentication
- Consider using alternative authentication methods (non-SAML) where feasible until patching is complete
- Deploy browser isolation technologies to contain potential exploitation attempts
- Restrict ActiveX control usage through Group Policy settings where compatible with business requirements
# Example Group Policy setting to restrict ActiveX (adjust based on environment)
# Navigate to: Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features
# Enable: "Restrict ActiveX Install" and configure for high security zones
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
