Palo Alto GlobalProtect : Remote Full Compromise Exploit Chain
2025-10-24 , Europe

This session provides an in-depth analysis of multiple critical vulnerabilities discovered by Michelin CERT in the Palo Alto Networks GlobalProtect VPN client, referenced as CVE-2024-5921, CVE-2024-3390, CVE-2024-3391, CVE-2024-3392 and CVE-2025-0118.

The research highlights how attackers on the same network can exploit weaknesses in certificate verification, root CA management, embedded browser authentication, and client-server communications to achieve remote code execution and privilege escalation on Windows workstations.


Elements highlighted during the session :
1. Certificate Verification Bypass: The VPN client can be tricked into bypassing certificate verification, allowing attackers to impersonate the VPN portal and deliver malicious payloads.

  1. Arbitrary Root CA Insertion: Attackers can insert a malicious root CA into the system, enabling them to issue fraudulent certificates and potentially install malware.

  2. Embedded Browser Exploits: The use of an embedded browser for authentication can be exploited to deliver malicious content, such as HTA files, leading to remote code execution.

  3. Privilege Escalation: Abusing the Impersonation Mechanism or the Weak System Update to get system privileges.

We will go through all the steps, try to understand GlobalProtect thoroughly, and pave the way towards a full chain exploit.

Maxime Escourbiac is the Red Team Leader at Michelin CERT, specializing in offensive security, penetration testing, and advanced vulnerability exploitation. He has contributed to the discovery of vulnerabilities in widely used products such as PAN-OS, Grafana, VMware Aria Operations, Backstage, Artifactory, and ForgeRock AM.