CVE-2025-4227

GlobalProtect App: Interception in Endpoint Traffic Policy Enforcement

Description

An improper access control vulnerability in the Endpoint Traffic Policy Enforcement https://docs.paloaltonetworks.com/globalprotect/6-0/globalprotect-app-new-features/new-features-released-in-gp-app/endpoint-traffic-policy-enforcement feature of the Palo Alto Networks GlobalProtect™ app allows certain packets to remain unencrypted instead of being properly secured within the tunnel. An attacker with physical access to the network can inject rogue devices to intercept these packets. Under normal operating conditions, the GlobalProtect app automatically recovers from this interception within one minute.

Remediation

Solution:

  • 1. Upgrade the GlobalProtect App to one of the unaffected versions: Version Minor Version Suggested Solution GlobalProtect App 6.3 on Windows, macOS 6.3.3 6.3.0 through 6.3.2 No solution available. A 6.3.3 hotfix is planned. (ETA: 12 June 2025). Upgrade to 6.3.2-566 or later. GlobalProtect App 6.2 on Windows, macOS6.2.0 through 6.2.8-223Upgrade to 6.3.2-566 or later. A new hotfix for 6.2.8 is planned. (ETA: June 2025). GlobalProtect App 6.1 on Windows, macOSAllUpgrade to 6.3.2-566 or later. GlobalProtect App 6.0 on Windows, macOSAllUpgrade to 6.3.2-566 or later. GlobalProtect App on Linux, Android, iOS, Chrome OS, UWPAllNot applicable. 2. Ensure that "Endpoint Traffic Policy Enforcement" is set to “All Traffic” under the GlobalProtect App Configurations. * Network > GlobalProtect > Portals > (Open Portal configuration) > Agent tab > (Open Agent configuration) > App tab > App Configurations > Endpoint Traffic Policy Enforcement (Select: All Traffic) 3. GlobalProtect Portal: Enable "Allow Gateway Access from GlobalProtect Only" (Requires Content version 8977 or newer). This must be enabled in conjunction with "Endpoint Traffic Policy Enforcement" under the GlobalProtect App Configurations. * Network > GlobalProtect > Portals > (Open Portal configuration) > Agent tab > (Open Agent configuration) > App tab > App Configurations > Allow Gateway Access from GlobalProtect Only (Select: Yes) 4. Commit your configuration.

Workaround:

  • Available Mitigation when solution interferes with Autonomous Digital Experience Management (ADEM) * ADEM https://docs.paloaltonetworks.com/autonomous-dem/administration/autonomous-dem functionality depends on ICMP probes that must be sent outside of the secure tunnel. When "Allow Gateway Access from GlobalProtect Only" is set to "Yes" and "Endpoint Traffic Policy Enforcement" is configured as "All Traffic," these ADEM https://docs.paloaltonetworks.com/autonomous-dem/administration/autonomous-dem probes will fail because they are forcefully transmitted through the encrypted tunnel rather than via their required direct path. * This issue can be addressed by changing "Endpoint Traffic Policy Enforcement" to "All TCP/UDP Traffic." This adjustment prevents interception of TCP and UDP traffic while allowing ADEM https://docs.paloaltonetworks.com/autonomous-dem/administration/autonomous-dem probes to function properly. However, this configuration still permits ICMP, and other non-TCP/UDP traffic to be intercepted.

Category

1.0
CVSS
Severity: Low
CVSS 4.0 •
CVSS 3.1 •
EPSS 0.01%
Vendor Advisory paloaltonetworks.com
Affected: Palo Alto Networks GlobalProtect App
Affected: Palo Alto Networks GlobalProtect App
Published at:
Updated at:

References

Link Tags
https://security.paloaltonetworks.com/CVE-2025-4227 vendor advisory

Frequently Asked Questions

What is the severity of CVE-2025-4227?
CVE-2025-4227 has been scored as a low severity vulnerability.
How to fix CVE-2025-4227?
To fix CVE-2025-4227: 1. Upgrade the GlobalProtect App to one of the unaffected versions: Version Minor Version Suggested Solution GlobalProtect App 6.3 on Windows, macOS 6.3.3 6.3.0 through 6.3.2 No solution available. A 6.3.3 hotfix is planned. (ETA: 12 June 2025). Upgrade to 6.3.2-566 or later. GlobalProtect App 6.2 on Windows, macOS6.2.0 through 6.2.8-223Upgrade to 6.3.2-566 or later. A new hotfix for 6.2.8 is planned. (ETA: June 2025). GlobalProtect App 6.1 on Windows, macOSAllUpgrade to 6.3.2-566 or later. GlobalProtect App 6.0 on Windows, macOSAllUpgrade to 6.3.2-566 or later. GlobalProtect App on Linux, Android, iOS, Chrome OS, UWPAllNot applicable. 2. Ensure that "Endpoint Traffic Policy Enforcement" is set to “All Traffic” under the GlobalProtect App Configurations. * Network > GlobalProtect > Portals > (Open Portal configuration) > Agent tab > (Open Agent configuration) > App tab > App Configurations > Endpoint Traffic Policy Enforcement (Select: All Traffic) 3. GlobalProtect Portal: Enable "Allow Gateway Access from GlobalProtect Only" (Requires Content version 8977 or newer). This must be enabled in conjunction with "Endpoint Traffic Policy Enforcement" under the GlobalProtect App Configurations. * Network > GlobalProtect > Portals > (Open Portal configuration) > Agent tab > (Open Agent configuration) > App tab > App Configurations > Allow Gateway Access from GlobalProtect Only (Select: Yes) 4. Commit your configuration.
Is CVE-2025-4227 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-4227 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-4227?
CVE-2025-4227 affects Palo Alto Networks GlobalProtect App, Palo Alto Networks GlobalProtect App.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.