Download our Latest Industry Report – Continuous Offensive Security Outlook 2026

Download Report
Back to Vulnerability List

Palo Alto Networks: PAN GlobalProtect App: SYSTEM via Embedded-Browser Escape on Connect Before Logon (SAML)

CVE-2022-0016 High Published
CVSS
7.4 High · Local · No PR
EPSS
0.00039 0.0% chance of exploit in 30d
CWE
CWE-703 Improper Check or Handling of Exceptional Conditions
Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Per PAN advisory: “An improper handling of exceptional conditions vulnerability exists within the Connect Before Logon feature of the Palo Alto Networks GlobalProtect app when the feature is configured to use SAML authentication that enables a local attacker to escalate to SYSTEM or root privileges when authenticating with Connect Before Logon under certain circumstances.” Per Praetorian’s blog: GlobalProtect spawns an embedded browser window for the user to authenticate against the organization’s IdP — an attacker can break out of that embedded browser to launch a command prompt, running with the same privileges as logonui.exe (SYSTEM).

Affected Packages / Versions

  • Package: Palo Alto Networks GlobalProtect app (Windows / macOS)
  • Latest published version at triage time: GlobalProtect app 5.2 prior to 5.2.9
  • Affected range: Per PAN advisory CVE-2022-0016: GlobalProtect App 5.2 < 5.2.9 on Windows and MacOS. GlobalProtect 5.1 and 5.3 are unaffected.
  • Patched version: GlobalProtect 5.2.9 on Windows and MacOS, and all later GlobalProtect app versions

Impact

Per Praetorian’s blog: “Since the customer did not implement network segmentation or require NLA to access the Windows login screen, this vulnerability resulted in remote code execution. Our team exploited the vulnerability to move laterally within the environment and eventually completed the attack objective for the engagement.” Per PAN: “Required Configuration for Exposure: This issue is applicable only to devices configured to use SAML authentication in the GlobalProtect Connect Before Logon feature.”

Severity Rationale

Per PAN advisory: CVSS 7.4 (High), CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H — local AV, high complexity, no privileges or UI, full CIA at SYSTEM/root. “Palo Alto Networks is not aware of any malicious exploitation of this issue.”

Fix

Per PAN: “This issue is fixed in GlobalProtect app 5.2.9 on Windows and MacOS, and all later GlobalProtect app versions.” Workaround: “Using non-SAML authentication methods in the GlobalProtect Connect Before Logon feature removes the impact of this issue.”

Disclosure timeline

  • TBDReported to vendor
  • Feb 9, 2022Patch released (PAN initial publication date)
  • Feb 9, 2022Public disclosure

Fix Commit(s)

    References

    Discovered by Per PAN advisory: "Adam Crosser (Praetorian), Brian Sizemore (Praetorian) and N. Sao (Genetec) for independently discovering and reporting this issue." · Published April 29, 2026