{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/globalprotect-app/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GlobalProtect App"],"_cs_severities":["medium"],"_cs_tags":["cve-2026-0249","certificate validation","man-in-the-middle","globalprotect","vpn"],"_cs_type":"advisory","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003ePalo Alto Networks has disclosed CVE-2026-0249, which details certificate validation bypass vulnerabilities within the GlobalProtect app. Successful exploitation could allow a man-in-the-middle attacker on the same network segment to intercept encrypted communications between the GlobalProtect client and the VPN server, potentially leading to the compromise of the endpoint. The vulnerability affects specific versions of the GlobalProtect app on macOS, Android and ChromeOS. Specifically, macOS versions 6.0.0 through 6.0.12, 6.2.0 through 6.2.8-h9, and 6.3.0 through 6.3.3-h8 are affected. Android and ChromeOS versions 6.0.0 through 6.0.13 and 6.1.0 through 6.1.12 are also vulnerable. Windows, Linux and iOS are not affected. This vulnerability could facilitate the installation of malicious software by redirecting traffic to an attacker-controlled server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains a man-in-the-middle position on the same network as the GlobalProtect client. This could be achieved through ARP spoofing or rogue Wi-Fi access points.\u003c/li\u003e\n\u003cli\u003eThe user launches the vulnerable GlobalProtect app on macOS, Android, or ChromeOS.\u003c/li\u003e\n\u003cli\u003eThe GlobalProtect app attempts to establish a VPN connection to the legitimate VPN server.\u003c/li\u003e\n\u003cli\u003eDue to the certificate validation vulnerabilities (CWE-295), the attacker intercepts the TLS handshake.\u003c/li\u003e\n\u003cli\u003eThe attacker presents a fraudulent certificate to the GlobalProtect app. The app fails to properly validate the certificate.\u003c/li\u003e\n\u003cli\u003eAn encrypted tunnel is established between the GlobalProtect client and the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003cli\u003eAll network traffic from the GlobalProtect client is now routed through the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003cli\u003eThe attacker redirects traffic destined for legitimate resources to attacker-controlled servers, facilitating the installation of malicious software.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0249 can allow an attacker to intercept sensitive information transmitted through the VPN connection. An attacker can redirect traffic and potentially install malware, leading to data breaches, system compromise, and further lateral movement within the network. Palo Alto Networks is not aware of any malicious exploitation of these issues. The affected platforms include macOS, Android and ChromeOS.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade GlobalProtect App on macOS to version 6.0.13 or later, 6.2.8-h10 (6.2.8-948) or later, and 6.3.3-h9 (6.3.3-999) or later to remediate CVE-2026-0249.\u003c/li\u003e\n\u003cli\u003eUpgrade GlobalProtect App on Android and ChromeOS to version 6.0.14 or later and 6.1.13 or later to remediate CVE-2026-0249.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unexpected certificate errors or connections to unusual domains from GlobalProtect clients, using a network intrusion detection system.\u003c/li\u003e\n\u003cli\u003eConsider implementing additional security measures, such as multi-factor authentication and endpoint detection and response (EDR) solutions, to mitigate the risk of endpoint compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:07:33Z","date_published":"2026-05-13T16:07:33Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0249-globalprotect-cert-bypass/","summary":"CVE-2026-0249 describes multiple improper certificate validation vulnerabilities in the Palo Alto Networks GlobalProtect app that could allow an attacker to intercept encrypted communications and potentially compromise the endpoint, especially on macOS, Android, and ChromeOS.","title":"CVE-2026-0249 GlobalProtect App: Certificate Validation Bypass Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0249-globalprotect-cert-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GlobalProtect App","GlobalProtect UWP App"],"_cs_severities":["medium"],"_cs_tags":["cve-2026-0250","buffer-overflow","man-in-the-middle"],"_cs_type":"advisory","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003eA buffer overflow vulnerability, identified as CVE-2026-0250, affects the Palo Alto Networks GlobalProtect App. This vulnerability can be exploited by a man-in-the-middle attacker positioned to intercept network traffic between a GlobalProtect Portal and Gateway. Successful exploitation could allow the attacker to disrupt system processes or potentially execute arbitrary code with SYSTEM privileges on the affected endpoint. The vulnerability stems from improper handling of requests and responses exchanged between the Portal and Gateway. The GlobalProtect app on iOS is not affected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker positions themselves in a man-in-the-middle position on the network between the GlobalProtect client and the GlobalProtect Portal/Gateway.\u003c/li\u003e\n\u003cli\u003eThe GlobalProtect client initiates a connection to the GlobalProtect Portal or Gateway.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the initial request from the GlobalProtect client.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious response containing a buffer overflow payload.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious response to the GlobalProtect client.\u003c/li\u003e\n\u003cli\u003eThe GlobalProtect client processes the malicious response, triggering the buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow allows the attacker to overwrite parts of memory, potentially corrupting system processes.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains the ability to execute arbitrary code with SYSTEM privileges, leading to full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0250 can lead to disruption of system processes on the affected endpoint, potentially causing denial of service. In a more severe scenario, the attacker could achieve arbitrary code execution with SYSTEM privileges, leading to complete system compromise. While Palo Alto Networks is not aware of any malicious exploitation of this issue, the potential impact is significant, as it could allow an attacker to gain full control of the affected system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade GlobalProtect App on Windows to 6.3.3-h9 (6.3.3-999) or later, 6.2.8-h10 (6.2.8-948) or later, or 6.0.13 or later to patch CVE-2026-0250.\u003c/li\u003e\n\u003cli\u003eUpgrade GlobalProtect App on macOS to 6.3.3-h9 (6.3.3-999) or later, 6.2.8-h10 (6.2.8-948) or later, or 6.0.13 or later to patch CVE-2026-0250.\u003c/li\u003e\n\u003cli\u003eUpgrade GlobalProtect App on Linux to 6.3.3-h2 (6.3.3-42) or later, or 6.0.11 or later to patch CVE-2026-0250.\u003c/li\u003e\n\u003cli\u003eUpgrade GlobalProtect App on Android to 6.1.13 or later, or 6.0.14 or later to patch CVE-2026-0250.\u003c/li\u003e\n\u003cli\u003eUpgrade GlobalProtect App on ChromeOS to 6.1.13 or later, or 6.0.14 or later to patch CVE-2026-0250.\u003c/li\u003e\n\u003cli\u003eUpgrade GlobalProtect UWP App to 6.3.3-h10 or later to patch CVE-2026-0250.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:04:16Z","date_published":"2026-05-13T16:04:16Z","id":"https://feed.craftedsignal.io/briefs/2026-05-globalprotect-buffer-overflow/","summary":"CVE-2026-0250 is a medium severity buffer overflow vulnerability in Palo Alto Networks GlobalProtect App that could allow a man-in-the-middle attacker to disrupt system processes and potentially execute arbitrary code with SYSTEM privileges by intercepting and manipulating requests and responses between the Portal and Gateway.","title":"CVE-2026-0250 Palo Alto Networks GlobalProtect App Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-globalprotect-buffer-overflow/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GlobalProtect App"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","cve-2026-0251","palo alto networks","globalprotect"],"_cs_type":"advisory","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003eMultiple local privilege escalation vulnerabilities, tracked as CVE-2026-0251, affect Palo Alto Networks GlobalProtect App versions before 6.3.3-h9 on Windows and macOS, and before 6.3.3-h2 on Linux. A local, non-administrative user can exploit these vulnerabilities to escalate their privileges to NT AUTHORITY\\SYSTEM on Windows and root on macOS and Linux. Successful exploitation allows the attacker to execute arbitrary commands with administrative privileges. The GlobalProtect app on iOS, Android, Chrome OS, and GlobalProtect UWP app are not affected. Palo Alto Networks internally discovered these vulnerabilities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA non-administrative user gains local access to a system with a vulnerable version of the GlobalProtect App installed.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an exploitable path within the GlobalProtect App due to an untrusted search path (CWE-426).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious executable or script and places it in a directory where the GlobalProtect App will search for it.\u003c/li\u003e\n\u003cli\u003eThe GlobalProtect App, running with elevated privileges (NT AUTHORITY\\SYSTEM on Windows, root on macOS/Linux), attempts to load or execute the malicious file.\u003c/li\u003e\n\u003cli\u003eDue to the untrusted search path, the attacker\u0026rsquo;s malicious file is executed instead of the intended legitimate application component.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes with the elevated privileges of the GlobalProtect App.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to execute arbitrary commands.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0251 allows a local, non-administrative user to gain full administrative control over the affected system. This can lead to unauthorized data access, modification, or deletion, installation of malware, and complete system compromise. Palo Alto Networks is not aware of any malicious exploitation of these issues.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade GlobalProtect App on Windows to version 6.0.13 or later for 6.0, 6.2.8-h10 (6.2.8-948) or later for 6.2, and 6.3.3-h9 (6.3.3-999) or later for 6.3 to remediate CVE-2026-0251 as per the vendor advisory.\u003c/li\u003e\n\u003cli\u003eUpgrade GlobalProtect App on macOS to version 6.0.13 or later for 6.0, 6.2.8-h10 (6.2.8-948) or later for 6.2, and 6.3.3-h9 (6.3.3-999) or later for 6.3 to remediate CVE-2026-0251 as per the vendor advisory.\u003c/li\u003e\n\u003cli\u003eUpgrade GlobalProtect App on Linux to version 6.0.11 or later for 6.0 and 6.3.3-h2 (6.3.3-42) or later for 6.2 and 6.3 to remediate CVE-2026-0251 as per the vendor advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:02:54Z","date_published":"2026-05-13T16:02:54Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0251-globalprotect-lpe/","summary":"Multiple local privilege escalation vulnerabilities exist in Palo Alto Networks GlobalProtect App, allowing a local user to escalate privileges to NT AUTHORITY\\SYSTEM on Windows and root on macOS and Linux, enabling arbitrary command execution with administrative privileges.","title":"CVE-2026-0251: Palo Alto Networks GlobalProtect App Local Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0251-globalprotect-lpe/"}],"language":"en","title":"CraftedSignal Threat Feed — GlobalProtect App","version":"https://jsonfeed.org/version/1.1"}