Analysis Summary

Palo Alto Networks has disclosed a reflected cross-site scripting (XSS) vulnerability, tracked as CVE-2025-0133, affecting the GlobalProtect gateway and portal features of its PAN-OS software. This vulnerability, classified under (Improper Neutralization of Input During Web Page Generation) and CAPEC-591 (Reflected XSS), enables the execution of malicious JavaScript within authenticated Captive Portal user browsers when victims click on specially crafted URLs. While the default severity rating is low, the threat escalates to medium. When the Clientless VPN feature is enabled, it significantly increases the risk of credential theft through social engineering attacks.

The primary attack vector involves phishing or social engineering tactics, where attackers trick users, who are already authenticated, into clicking malicious links that appear to be legitimately hosted on the GlobalProtect portal. Once clicked, the attacker-controlled JavaScript executes in the context of the user’s browser session, which could allow credential harvesting or session hijacking. Although attackers cannot modify the GlobalProtect configuration or content directly, the fact that the malicious content appears to originate from trusted infrastructure makes it a potent tool for bypassing traditional security defenses.

This vulnerability affects multiple product versions, including Cloud NGFW (all versions), PAN-OS 11.2 (prior to 11.2.7), PAN-OS 11.1 (prior to 11.1.11), PAN-OS 10.2 (prior to 10.2.17), and PAN-OS 10.1 (all versions). Notably, Prisma Access is not affected. The availability of proof-of-concept (PoC) exploit code in the wild raises the urgency for mitigation, even though no active exploitation has been confirmed by Palo Alto Networks at this time. The vulnerability demands attention, especially from organizations relying on Clientless VPN, which elevates the attack surface.

To mitigate the threat, Palo Alto Networks recommends several actions: upgrade to patched PAN-OS versions once they become available (with version 11.2.7 expected by June 2025, 11.1.11 by July 2025, and 10.2.17 by August 2025). In the interim, organizations with Threat Prevention subscriptions should enable Threat Prevention IDs 510003 and 510004, introduced in Applications and Threats content version 8970. Additionally, disabling Clientless VPN entirely and conducting user awareness training on suspicious links are highly advised. Given the active PoC and potential for exploitation, affected organizations should take immediate defensive action while waiting for official patches.

Impact

• Sensitive Credential Theft
• Cross-site Scripting
• Security Bypass

Indicators of Compromise

CVE

• CVE-2025-0133

Affected Vendors

Remediation

• Upgrade to the latest version of PAN-OS, available from the Palo Alto Networks Security Advisory.
• Turn on Threat Prevention IDs 510003 and 510004, which detect exploitation attempts.
• Ensure your system is updated to Applications and Threats content version 8970 or later.
• If not essential to operations, disable Clientless VPN to reduce exposure and risk.
• Conduct phishing awareness training for users.
• Warn users not to click on suspicious or unexpected links, even if they appear to come from the organization's GlobalProtect portal.
• Regularly audit logs and monitor GlobalProtect portal usage and user session behavior for signs of exploitation.