Cve-2026-0249 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2026-0249/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 13 May 2026 16:07:33 +0000CVE-2026-0249 GlobalProtect App: Certificate Validation Bypass Vulnerabilitieshttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-0249-globalprotect-cert-bypass/Wed, 13 May 2026 16:07:33 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-0249-globalprotect-cert-bypass/CVE-2026-0249 describes multiple improper certificate validation vulnerabilities in the Palo Alto Networks GlobalProtect app that could allow an attacker to intercept encrypted communications and potentially compromise the endpoint, especially on macOS, Android, and ChromeOS.Palo Alto Networks has disclosed CVE-2026-0249, which details certificate validation bypass vulnerabilities within the GlobalProtect app. Successful exploitation could allow a man-in-the-middle attacker on the same network segment to intercept encrypted communications between the GlobalProtect client and the VPN server, potentially leading to the compromise of the endpoint. The vulnerability affects specific versions of the GlobalProtect app on macOS, Android and ChromeOS. Specifically, macOS versions 6.0.0 through 6.0.12, 6.2.0 through 6.2.8-h9, and 6.3.0 through 6.3.3-h8 are affected. Android and ChromeOS versions 6.0.0 through 6.0.13 and 6.1.0 through 6.1.12 are also vulnerable. Windows, Linux and iOS are not affected. This vulnerability could facilitate the installation of malicious software by redirecting traffic to an attacker-controlled server.

Attack Chain

  1. Attacker gains a man-in-the-middle position on the same network as the GlobalProtect client. This could be achieved through ARP spoofing or rogue Wi-Fi access points.
  2. The user launches the vulnerable GlobalProtect app on macOS, Android, or ChromeOS.
  3. The GlobalProtect app attempts to establish a VPN connection to the legitimate VPN server.
  4. Due to the certificate validation vulnerabilities (CWE-295), the attacker intercepts the TLS handshake.
  5. The attacker presents a fraudulent certificate to the GlobalProtect app. The app fails to properly validate the certificate.
  6. An encrypted tunnel is established between the GlobalProtect client and the attacker’s server.
  7. All network traffic from the GlobalProtect client is now routed through the attacker’s server.
  8. The attacker redirects traffic destined for legitimate resources to attacker-controlled servers, facilitating the installation of malicious software.

Impact

Successful exploitation of CVE-2026-0249 can allow an attacker to intercept sensitive information transmitted through the VPN connection. An attacker can redirect traffic and potentially install malware, leading to data breaches, system compromise, and further lateral movement within the network. Palo Alto Networks is not aware of any malicious exploitation of these issues. The affected platforms include macOS, Android and ChromeOS.

Recommendation

  • Upgrade GlobalProtect App on macOS to version 6.0.13 or later, 6.2.8-h10 (6.2.8-948) or later, and 6.3.3-h9 (6.3.3-999) or later to remediate CVE-2026-0249.
  • Upgrade GlobalProtect App on Android and ChromeOS to version 6.0.14 or later and 6.1.13 or later to remediate CVE-2026-0249.
  • Monitor network traffic for unexpected certificate errors or connections to unusual domains from GlobalProtect clients, using a network intrusion detection system.
  • Consider implementing additional security measures, such as multi-factor authentication and endpoint detection and response (EDR) solutions, to mitigate the risk of endpoint compromise.
]]>mediumadvisorycve-2026-0249certificate validationman-in-the-middleglobalprotectvpn