GlobalProtect is the primary VPN client for many enterprises, meaning a successful attack could give an attacker full administrative control over an employee's work device, including access to corporate credentials, sensitive files, and internal network connections. The attack requires the adversary to be on the same network as the target, a condition that remote workers on public Wi-Fi, at conferences, or in shared office spaces routinely satisfy. If exploited before patching, organizations face potential data exfiltration, ransomware staging, or lateral movement into corporate environments through a trusted VPN endpoint, with associated regulatory and reputational consequences.
You Are Affected If
You run Palo Alto Networks GlobalProtect App versions 6.0.x, 6.1.x, 6.2.x, or 6.3.x on Windows, macOS, Linux, Android, or ChromeOS endpoints
You run Palo Alto Networks GlobalProtect UWP App version 6.3.x on Windows endpoints
Your workforce connects to GlobalProtect from untrusted or public networks (hotels, conferences, airports, shared coworking spaces) where an attacker could achieve network adjacency
You have not applied the Palo Alto Networks patches published May 13, 2026, across all affected branches
Your GlobalProtect gateway does not enforce a minimum client version policy, allowing unpatched clients to connect
Board Talking Points
A confirmed security flaw in our VPN client software could allow an attacker on the same Wi-Fi network as an employee to take full control of that employee's work device.
The vendor released a fix on May 13, 2026; IT should complete deployment to all affected devices within 48 to 72 hours, prioritizing remote workers who regularly use public networks.
Without patching, any employee working from a hotel, airport, or conference is at elevated risk of device compromise, which could serve as a doorway into our broader corporate environment.
