CVE-2025–0133: Reflected XSS Vulnerability in Palo Alto GlobalProtect Gateway & Portal

2 min readJun 20, 2025

A reflected cross-site scripting (XSS) vulnerability (CVE-2025–0133) was recently discovered in Palo Alto Networks’ PAN-OS, specifically in its GlobalProtect™ gateway and portal. Attackers can craft a malicious link that executes arbitrary JavaScript in the browser of an authenticated user, leading to phishing and credential theft — particularly if Clientless VPN is enabled.

What is CVE-2025–0133?

CVE-2025–0133 is a reflected XSS vulnerability present in the GlobalProtect gateway and portal features of PAN-OS. The issue allows attackers to trick users into clicking on a specially crafted link, which will cause a script of the attacker’s choosing to execute in the user’s browser in the context of the GlobalProtect portal.

While the vulnerability does not allow modification of the portal itself or global configurations, it can easily be leveraged for phishing campaigns due to its trust relationship with the legitimate VPN portal.

Impact

✅ Confidentiality:
If you have Clientless VPN enabled, phishing or credential theft is a serious concern due to the highly trusted interface of the VPN portal.

❌ Integrity:
No modification of files, settings, or other user data on the device or portal is possible.

❌ Availability:
This is not a denial-of-service issue; services continue to operate normally.

Proof of Concept

Step 1: Navigate to the Palo Alto portal

Step 2: Append the payload: /ssl-vpn/getconfig.esp?client-type=1&protocol-version=p1&app-version=3.0.1–10&clientos=Linux&os-version=linux-64&hmac-algo=sha1%2Cmd5&enc-algo=aes-128-cbc%2Caes-256-cbc&authcookie=12cea70227d3aafbf25082fac1b6f51d&portal=us-vpn-gw-N&user=%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Cscript%3Eprompt%28%22XSS%22%29%3C%2Fscript%3E%3C%2Fsvg%3E&domain=%28empty_domain%29&computer=computer