Attack Chain

1. A non-administrative user gains local access to a system with a vulnerable version of the GlobalProtect App installed.
2. The attacker identifies an exploitable path within the GlobalProtect App due to an untrusted search path (CWE-426).
3. The attacker crafts a malicious executable or script and places it in a directory where the GlobalProtect App will search for it.
4. The GlobalProtect App, running with elevated privileges (NT AUTHORITY\SYSTEM on Windows, root on macOS/Linux), attempts to load or execute the malicious file.
5. Due to the untrusted search path, the attacker’s malicious file is executed instead of the intended legitimate application component.
6. The malicious code executes with the elevated privileges of the GlobalProtect App.
7. The attacker leverages the elevated privileges to execute arbitrary commands.

Impact

Successful exploitation of CVE-2026-0251 allows a local, non-administrative user to gain full administrative control over the affected system. This can lead to unauthorized data access, modification, or deletion, installation of malware, and complete system compromise. Palo Alto Networks is not aware of any malicious exploitation of these issues.

Recommendation

• Upgrade GlobalProtect App on Windows to version 6.0.13 or later for 6.0, 6.2.8-h10 (6.2.8-948) or later for 6.2, and 6.3.3-h9 (6.3.3-999) or later for 6.3 to remediate CVE-2026-0251 as per the vendor advisory.
• Upgrade GlobalProtect App on macOS to version 6.0.13 or later for 6.0, 6.2.8-h10 (6.2.8-948) or later for 6.2, and 6.3.3-h9 (6.3.3-999) or later for 6.3 to remediate CVE-2026-0251 as per the vendor advisory.
• Upgrade GlobalProtect App on Linux to version 6.0.11 or later for 6.0 and 6.3.3-h2 (6.3.3-42) or later for 6.2 and 6.3 to remediate CVE-2026-0251 as per the vendor advisory.