GlobalProtect App is a VPN and endpoint security client deployed widely across enterprise fleets — compromise of it hands an attacker full control of the affected workstation or server, the highest level of local access possible. Any employee, contractor, or attacker who has already reached an affected endpoint (via phishing, stolen credentials, or physical access) can use this vulnerability to fully control that machine, steal credentials, access sensitive data, or pivot deeper into the corporate network. Organizations subject to SOC 2, ISO 27001, or regulated data handling requirements may face audit findings or breach notification obligations if exploitation is discovered after the fact.
You Are Affected If
You run Palo Alto Networks GlobalProtect App version 6.0.x, 6.2.x, or 6.3.x on any Windows, macOS, or Linux endpoint in your environment
Local user accounts — including standard employee accounts, contractor accounts, or remote desktop sessions — exist on hosts running the affected GlobalProtect versions
You have not yet applied the fixed GlobalProtect App version identified in the Palo Alto Networks PSIRT advisory (https://security.paloaltonetworks.com/CVE-2026-0251)
Your endpoint patch management process does not include GlobalProtect App version tracking or does not enforce automatic client updates via Panorama or your MDM platform
Endpoints running the affected GlobalProtect versions are accessible via RDP, SSH, or other remote access mechanisms that allow low-privileged user sessions
Board Talking Points
A vulnerability in our VPN security client software allows any user on an affected company device to gain full control of that machine — the equivalent of having administrator access without authorization.
IT and security teams should apply the vendor-released fix to all affected devices within your standard high-severity patch window; no workaround exists and the only remediation is upgrading the software.
If unpatched devices are later found to have been exploited, the organization faces potential data exposure, regulatory scrutiny, and incident response costs that patching now would avoid.
