{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-0251/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GlobalProtect App"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","cve-2026-0251","palo alto networks","globalprotect"],"_cs_type":"advisory","_cs_vendors":["Palo Alto Networks"],"content_html":"\u003cp\u003eMultiple local privilege escalation vulnerabilities, tracked as CVE-2026-0251, affect Palo Alto Networks GlobalProtect App versions before 6.3.3-h9 on Windows and macOS, and before 6.3.3-h2 on Linux. A local, non-administrative user can exploit these vulnerabilities to escalate their privileges to NT AUTHORITY\\SYSTEM on Windows and root on macOS and Linux. Successful exploitation allows the attacker to execute arbitrary commands with administrative privileges. The GlobalProtect app on iOS, Android, Chrome OS, and GlobalProtect UWP app are not affected. Palo Alto Networks internally discovered these vulnerabilities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA non-administrative user gains local access to a system with a vulnerable version of the GlobalProtect App installed.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an exploitable path within the GlobalProtect App due to an untrusted search path (CWE-426).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious executable or script and places it in a directory where the GlobalProtect App will search for it.\u003c/li\u003e\n\u003cli\u003eThe GlobalProtect App, running with elevated privileges (NT AUTHORITY\\SYSTEM on Windows, root on macOS/Linux), attempts to load or execute the malicious file.\u003c/li\u003e\n\u003cli\u003eDue to the untrusted search path, the attacker\u0026rsquo;s malicious file is executed instead of the intended legitimate application component.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes with the elevated privileges of the GlobalProtect App.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to execute arbitrary commands.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0251 allows a local, non-administrative user to gain full administrative control over the affected system. This can lead to unauthorized data access, modification, or deletion, installation of malware, and complete system compromise. Palo Alto Networks is not aware of any malicious exploitation of these issues.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade GlobalProtect App on Windows to version 6.0.13 or later for 6.0, 6.2.8-h10 (6.2.8-948) or later for 6.2, and 6.3.3-h9 (6.3.3-999) or later for 6.3 to remediate CVE-2026-0251 as per the vendor advisory.\u003c/li\u003e\n\u003cli\u003eUpgrade GlobalProtect App on macOS to version 6.0.13 or later for 6.0, 6.2.8-h10 (6.2.8-948) or later for 6.2, and 6.3.3-h9 (6.3.3-999) or later for 6.3 to remediate CVE-2026-0251 as per the vendor advisory.\u003c/li\u003e\n\u003cli\u003eUpgrade GlobalProtect App on Linux to version 6.0.11 or later for 6.0 and 6.3.3-h2 (6.3.3-42) or later for 6.2 and 6.3 to remediate CVE-2026-0251 as per the vendor advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T16:02:54Z","date_published":"2026-05-13T16:02:54Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0251-globalprotect-lpe/","summary":"Multiple local privilege escalation vulnerabilities exist in Palo Alto Networks GlobalProtect App, allowing a local user to escalate privileges to NT AUTHORITY\\SYSTEM on Windows and root on macOS and Linux, enabling arbitrary command execution with administrative privileges.","title":"CVE-2026-0251: Palo Alto Networks GlobalProtect App Local Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-0251-globalprotect-lpe/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-0251","version":"https://jsonfeed.org/version/1.1"}