.webp?w=1600&resize=1600,900&ssl=1 "Palo Alto GlobalProtect Gateway Vulnerability")
Palo Alto Networks has disclosed a reflected cross-site scripting (XSS) vulnerability, tracked as CVE-2025-0133, affecting the GlobalProtect gateway and portal features of its PAN-OS software.
The flaw enables execution of malicious JavaScript in authenticated Captive Portal user browsers when victims click specially crafted links.
It poses a significant threat to organizations utilizing the Clientless VPN feature. While rated low severity (CVSS Base Score 2.0) under default configurations, the risk elevates to MEDIUM (CVSS 5.5) when Clientless VPN is enabled.
.png
)
Palo Alto GlobalProtect Vulnerability – CVE-2025-0133
XBOW researchers identified this vulnerability, which enables attackers to create convincing phishing and credential-stealing links that appear to be legitimately hosted on the GlobalProtect portal.
The primary attack vector involves social engineering to trick authenticated users into clicking malicious links.
The vulnerability’s technical classification is CWE-79 (Improper Neutralization of Input During Web Page Generation) and CAPEC-591 (Reflected XSS).
Importantly, proof-of-concept exploit code is already available in the wild, elevating the urgency for organizations to implement mitigation strategies.
When exploited, the vulnerability enables JavaScript execution within the security context of the user’s authenticated session.
While attackers cannot directly modify GlobalProtect configurations or content, they can conduct sophisticated phishing campaigns that circumvent traditional security measures by appearing to originate from trusted GlobalProtect infrastructure.
According to Palo Alto’s advisory, the vulnerability impacts multiple product versions, including Cloud NGFW (all versions), PAN-OS 11.2 (prior to 11.2.7), PAN-OS 11.1 (prior to 11.1.11), PAN-OS 10.2 (prior to 10.2.17), and PAN-OS 10.1 (all versions).
Prisma Access, however, remains unaffected.
| Risk Factors | Details |
| Affected Products | Cloud NGFW (all versions), PAN-OS 11.2 (prior to 11.2.7), PAN-OS 11.1 (prior to 11.1.11), PAN-OS 10.2 (prior to 10.2.17), and PAN-OS 10.1 (all versions) |
| Impact | Credential theft |
| Exploit Prerequisites | Enabled GlobalProtect gateway/portal; user interaction |
| CVSS 3.1 Score | 2.0 (default configurations), 5.5 (when Clientless VPN is enabled) |
Mitigation Strategies
Organizations running vulnerable versions should implement one of several available mitigations:
Upgrade to patched versions when available:
- PAN-OS 11.2: Version 11.2.7 or later (expected June 2025).
- PAN-OS 11.1: Version 11.1.11 or later (expected July 2025).
- PAN-OS 10.2: Version 10.2.17 or later (expected August 2025).
Enable Threat Prevention IDs 510003 and 510004 (introduced in Applications and Threats content version 8970) for customers with Threat Prevention subscriptions and consider disabling Clientless VPN functionality entirely.
The technical exploit involves specially crafted URLs that, when clicked, execute reflected JavaScript code in the user’s browser session. Security experts recommend user awareness training about suspicious links as an additional layer of defense.
Palo Alto Networks has stated that they are unaware of any malicious exploitation of this vulnerability in the wild.
However, the availability of proof-of-concept code significantly increases the likelihood of active exploitation before patches are widely deployed.
Organizations using affected PAN-OS versions should prioritize mitigation based on their Clientless VPN usage and implement appropriate controls while awaiting official patches from Palo Alto Networks.
Equip your SOC team with deep threat analysis for faster response -> Get Extra Sandbox Licenses for Free
