CVE-2025-0133
Description
A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link. The primary risk is phishing attacks that can lead to credential theft—particularly if you enabled Clientless VPN.
There is no availability impact to GlobalProtect features or GlobalProtect users. Attackers cannot use this vulnerability to tamper with or modify contents or configurations of the GlobalProtect portal or gateways. The integrity impact of this vulnerability is limited to enabling an attacker to create phishing and credential-stealing links that appear to be hosted on the GlobalProtect portal.
For GlobalProtect users with Clientless VPN enabled, there is a limited impact on confidentiality due to inherent risks of Clientless VPN that facilitate credential theft. You can read more about this risk in the informational bulletin PAN-SA-2025-0005 https://security.paloaltonetworks.com/PAN-SA-2025-0005 https://security.paloaltonetworks.com/PAN-SA-2025-0005 . There is no impact to confidentiality for GlobalProtect users if you did not enable (or you disable) Clientless VPN.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in PAN-OS GlobalProtect allows phishing, credential theft via crafted links; impact limited to users with Clientless VPN enabled.
Vulnerability
Overview
CVE-2025-0133 is a reflected cross-site scripting (XSS) vulnerability found in the GlobalProtect gateway and portal features of Palo Alto Networks PAN-OS software. The root cause lies in insufficient sanitization of user-supplied input reflected by the GlobalProtect interface. An attacker can craft a malicious link that, when clicked by an authenticated Captive Portal user, executes arbitrary JavaScript in the context of the user's browser [1].
Exploitation
Prerequisites
Exploitation requires the victim to be an authenticated GlobalProtect user who clicks a specially crafted link. No additional privileges are needed, and the attack is network-based with low complexity. The attacker does not need to be authenticated to the target system. The primary attack vector is phishing, where the malicious link appears to originate from the legitimate GlobalProtect portal [1].
Impact
Assessment
The direct impact is limited to integrity and confidentiality. An attacker can use this XSS to create phishing pages that mimic the GlobalProtect login interface, potentially stealing credentials. There is no impact on the availability or integrity of GlobalProtect features or configurations. For users with Clientless VPN enabled, the risk of credential theft is elevated, leading to a limited confidentiality impact. However, if Clientless VPN is disabled, there is no confidentiality impact [1]. The vulnerability does not allow manipulation of portal or gateway contents.
Mitigation
Palo Alto Networks has released fixed versions in PAN-OS 11.2, 11.1, and 10.2. Users should upgrade to patched versions as listed in the advisory. For Cloud NGFW and Prisma Access, no action is required as they are unaffected. Disabling Clientless VPN reduces the risk related to credential theft [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.