Likelihood: LOW
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is low because exploitation requires pre-existing local access to an affected endpoint — no remote attack vector exists and no active exploitation has been confirmed — reducing the realistic attacker pool to insiders, phished users, or those with prior foothold; impact is high because successful exploitation yields SYSTEM or root privileges on a corporate endpoint running the enterprise VPN client, enabling credential harvesting, lateral movement, data exfiltration, or disabling of security controls from a position of full local authority.
Treatment rationale: No workaround exists and the privilege escalation outcome (full system control) is severe enough that acceptance is unjustifiable; patching across three active version branches (6.0.x, 6.2.x, 6.3.x) on Windows, macOS, and Linux is the only available control, making mitigate the sole viable primary treatment.
Third-Party / Supply-Chain Risk
GlobalProtect App is a Palo Alto Networks-managed client deployed by the organization onto employee and contractor endpoints; the organization has no ability to patch independently of Palo Alto's release cycle, creating a vendor-dependency window between disclosure and available fix. Organizations that distribute GlobalProtect to third-party contractors or managed-service partners extend exposure to endpoints outside direct IT control — those endpoints may lag the enterprise patch timeline (NIST SP 800-161 Tier 2/3 supplier risk).
Loss Exposure (illustrative)
Magnitude: moderate-to-high — illustrative $150K–$2M per realized incident, scaling with whether the escalated endpoint yields privileged credentials or access to sensitive data stores
Frequency: For an organization with a large GlobalProtect deployment and mixed insider/contractor populations, illustrative frequency of a realized local-access exploitation event is low — perhaps 0.05–0.15 events per year during the unpatched window, driven primarily by the local-access prerequisite limiting opportunistic exploitation
Annualized: Illustrative ALE: $7,500–$300,000 per year during the unpatched exposure window; range is wide because frequency is the dominant uncertainty
Basis: Loss magnitude derived from: full SYSTEM/root compromise of a VPN client enables credential theft, EDR bypass, and lateral movement — incident response, forensics, and potential data-loss costs drive the floor; upper bound reflects scenarios where the compromised endpoint belongs to a privileged user (IT admin, finance, executive) and the attacker pivots to domain-level access. Frequency derived from: local-access prerequisite significantly reduces the attacker pool compared to remotely exploitable CVEs; the unpatched window duration and fleet size are the primary frequency levers. No external report figures cited.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• If an attacker uses this privilege escalation as a stepping stone to exfiltrate personal data, a PII or PHI breach-notification obligation may be triggered — verify with counsel and privacy officer.
• A confirmed compromise of an endpoint running security software may qualify as a reportable security event under cyber-insurance policy terms — verify with broker before assuming coverage scope or notice deadlines.
• Contractor or third-party endpoints running GlobalProtect that are compromised via this vulnerability may implicate vendor-security or breach-notification clauses in those agreements — verify with counsel.
