Palo Alto Networks disclosed a **reflected cross-site scripting (XSS) vulnerability (CVE-2025-0133)** in its **GlobalProtect gateway and portal** (PAN-OS software). The flaw allows attackers to execute malicious JavaScript in authenticated users' browsers via crafted links, enabling **credential theft** through phishing. While the default CVSS score is **2.0 (Low)**, it escalates to **5.5 (Medium)** when **Clientless VPN** is enabled. Proof-of-concept (PoC) exploit code is already public, increasing the risk of active exploitation before patches (expected **June–August 2025**) are deployed.The vulnerability affects multiple PAN-OS versions (11.2, 11.1, 10.2, 10.1) and **Cloud NGFW**, but **Prisma Access** is unaffected. Mitigations include upgrading to patched versions, enabling Threat Prevention IDs (510003, 510004), or disabling Clientless VPN. Though no confirmed malicious exploitation exists yet, the **social engineering risk**—tricking users into clicking malicious links—poses a **significant threat to authentication integrity**, particularly for organizations relying on Clientless VPN. Urgent action is advised to prevent credential compromise and downstream attacks.
Source: https://cybersecuritynews.com/palo-alto-globalprotect-portal-vulnerability/
Palo Alto Networks cybersecurity rating report: https://www.rankiteo.com/company/palo-alto-networks
"id": "PAL1480714112625",
"linkid": "palo-alto-networks",
"type": "Vulnerability",
"date": "5/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'Cybersecurity',
'location': 'Santa Clara, California, USA',
'name': 'Palo Alto Networks',
'type': 'Organization'}],
'attack_vector': ['Social Engineering', 'Malicious Links', 'Phishing'],
'customer_advisories': ['Apply mitigations immediately if Clientless VPN is '
'enabled.',
'Await official patches for long-term remediation.'],
'data_breach': {'data_exfiltration': ['Potential (if credentials are stolen)'],
'personally_identifiable_information': ['Potential (if '
'credentials include '
'PII)'],
'sensitivity_of_data': ['High (authenticated session data)'],
'type_of_data_compromised': ['Session Tokens', 'Credentials']},
'description': 'Palo Alto Networks has disclosed a reflected cross-site '
'scripting (XSS) vulnerability, tracked as CVE-2025-0133, '
'affecting the GlobalProtect gateway and portal features of '
'its PAN-OS software. The flaw enables execution of malicious '
'JavaScript in authenticated Captive Portal user browsers when '
'victims click specially crafted links. It poses a significant '
'threat to organizations utilizing the Clientless VPN feature. '
'The vulnerability is rated low severity (CVSS Base Score 2.0) '
'under default configurations but elevates to MEDIUM (CVSS '
'5.5) when Clientless VPN is enabled. XBOW researchers '
'identified this vulnerability, which enables attackers to '
'create convincing phishing and credential-stealing links that '
'appear legitimately hosted on the GlobalProtect portal. '
'Proof-of-concept exploit code is already available in the '
'wild, increasing urgency for mitigation.',
'impact': {'brand_reputation_impact': ['Potential Loss of Trust Due to '
'Phishing Risks'],
'data_compromised': ['User Session Cookies', 'Credentials'],
'identity_theft_risk': ['High (if credentials are stolen)'],
'operational_impact': ['Increased Phishing Risk',
'Compromised User Sessions'],
'systems_affected': ['GlobalProtect Gateway',
'GlobalProtect Portal',
'Clientless VPN']},
'investigation_status': 'Ongoing (no confirmed malicious exploitation '
'reported as of disclosure)',
'lessons_learned': ['Clientless VPN introduces elevated risk for reflected '
'XSS vulnerabilities.',
'Proof-of-concept exploits in the wild necessitate '
'proactive mitigation even before active exploitation is '
'observed.',
'User training remains critical for mitigating social '
'engineering-based attacks.'],
'motivation': ['Credential Theft', 'Phishing', 'Session Hijacking'],
'post_incident_analysis': {'corrective_actions': ['Code-level fixes in '
'upcoming PAN-OS patches.',
'Enhanced Threat Prevention '
'signatures for XSS '
'detection.'],
'root_causes': ['Improper input neutralization in '
'GlobalProtect Captive Portal web '
'page generation.',
'Lack of default protections '
'against reflected XSS in '
'Clientless VPN configurations.']},
'recommendations': ['Prioritize patching PAN-OS versions based on Clientless '
'VPN usage.',
'Disable Clientless VPN if not essential to operations.',
'Deploy Threat Prevention signatures (IDs 510003, 510004) '
'for affected systems.',
'Conduct phishing simulation exercises to raise user '
'awareness.',
'Monitor for unusual activity in GlobalProtect '
'portals/gateways.'],
'references': [{'source': 'Palo Alto Networks Security Advisory'},
{'source': 'XBOW Research'}],
'response': {'communication_strategy': ['Public Advisory by Palo Alto '
'Networks'],
'containment_measures': ['Disable Clientless VPN functionality',
'Enable Threat Prevention IDs 510003 '
'and 510004 (Applications and Threats '
'content version 8970)'],
'enhanced_monitoring': ['Monitor for exploitation attempts via '
'Threat Prevention signatures'],
'remediation_measures': ['Upgrade to patched PAN-OS versions '
'(expected releases: June–August 2025)',
'User awareness training for suspicious '
'links'],
'third_party_assistance': ['XBOW Researchers (Vulnerability '
'Discovery)']},
'stakeholder_advisories': ['Palo Alto Networks customers using affected '
'PAN-OS versions'],
'title': 'Palo Alto Networks GlobalProtect Reflected XSS Vulnerability '
'(CVE-2025-0133)',
'type': ['Vulnerability', 'Cross-Site Scripting (XSS)', 'Reflected XSS'],
'vulnerability_exploited': {'capec_id': 'CAPEC-591',
'cve_id': 'CVE-2025-0133',
'cvss_score': {'clientless_vpn_enabled': 5.5,
'default': 2.0},
'cwe_id': 'CWE-79',
'description': 'Improper Neutralization of Input '
'During Web Page Generation '
"('Cross-site Scripting') in "
'GlobalProtect gateway/portal '
'Captive Portal'}}