CVE-2025-0133
published 2025-05-14CVE-2025-0133: A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution…
PriorityP335low2.7CVSS 4.0
AVNACLATNPRNUINVCLVILVANSCNSINSANEUCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSNAUNRUVDREMUAmber
EXPLOIT
EPSS
43.52%
98.6th percentile
A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link. The primary risk is phishing attacks that can lead to credential theft—particularly if you enabled Clientless VPN.
There is no availability impact to GlobalProtect features or GlobalProtect users. Attackers cannot use this vulnerability to tamper with or modify contents or configurations of the GlobalProtect portal or gateways. The integrity impact of this vulnerability is limited to enabling an attacker to create phishing and credential-stealing links that appear to be hosted on the GlobalProtect portal.
For GlobalProtect users with Clientless VPN enabled, there is a limited impact on confidentiality due to inherent risks of Clientless VPN that facilitate credential theft. You can read more about this risk in the informational bulletin PAN-SA-2025-0005 https://security.paloaltonetworks.com/PAN-SA-2025-0005 https://security.paloaltonetworks.com/PAN-SA-2025-0005 . There is no impact to confidentiality for GlobalProtect users if you did not enable (or you disable) Clientless VPN.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| palo_alto_networks | cloud_ngfw | >= All < 11.2.8 | 11.2.8 |
| palo_alto_networks | pan-os | — | — |
| palo_alto_networks | pan-os | >= 10.2.0 < 10.2.16-h1 | 10.2.16-h1 |
| palo_alto_networks | pan-os | >= 11.1.0 < 11.1.6-h14 | 11.1.6-h14 |
| palo_alto_networks | pan-os | >= 11.2.0 < 11.2.7 | 11.2.7 |
| palo_alto_networks | prisma_access | — | — |
| paloalto | cloud_ngfw | — | — |
| paloalto | pan-os | — | — |
| paloalto | prisma_access | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r93p-9jjr-wjhj: A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables
ghsa_unreviewed·2025-05-14
CVE-2025-0133 [MEDIUM] CWE-79 GHSA-r93p-9jjr-wjhj: A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables
A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link. The primary risk is phishing attacks that can lead to credential theft—particularly if you enabled Clientless VPN.
There is no availability impact to GlobalProtect features or GlobalProtect users. Attackers cannot use this vulnerability to tamper with or modify contents or configurations of the GlobalProtect portal or gateways. The integrity impact of this vulnerability is limited to enabling an attacker to create phishing and credential-stealing links that appear to be hosted on the GlobalProtect po
CISA ICS
Siemens RUGGEDCOM APE1808
cisa_ics·2025-06-12·CVSS 2.7
[LOW] Siemens RUGGEDCOM APE1808
ICS Advisory
##
Siemens RUGGEDCOM APE1808
Release DateJune 12, 2025
Alert CodeICSA-25-162-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 5.1
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: RUGGEDCOM APE1808
- Vulnerability: Cross-site Scripting
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could all
Palo Alto
PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in GlobalProtect Gateway and Portal
vendor_paloalto·CVSS 2.7
CVE-2025-0133 [LOW] CWE-79 PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in GlobalProtect Gateway and Portal
PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in GlobalProtect Gateway and Portal
A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link. The primary risk is phishing attacks that can lead to credential theft—particularly if you enabled Clientless VPN.
There is no availability impact to GlobalProtect features or GlobalProtect users. Attackers cannot use this vulnerability to tamper with or modify contents or configurations of the GlobalProtect portal or gateways. The integrity impact of this vulnerability is limited to enabling an attacker t
Suricata
ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Reflected Cross-Site Scripting (CVE-2025-0133)
suricata·2025-09-26·CVSS 2.7
CVE-2025-0133 [LOW] ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Reflected Cross-Site Scripting (CVE-2025-0133)
ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Reflected Cross-Site Scripting (CVE-2025-0133)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Reflected Cross-Site Scripting (CVE-2025-0133)"; flow:established,to_server; http.uri; content:"/ssl-vpn/getconfig.esp|3f|"; fast_pattern; content:"user|3d|"; pcre:"/^[^&]*?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]+|c(?:hange|lick)|(?:un)?load|focus|blur|error)|s(?:cript|tyle\x3d))/R"; reference:url,cloud.projectdiscovery.io/library/CVE-2025-0133; reference:cve,2025-0133; classtype:web-application-attack; sid:2064940; rev:1; metadata:affected_product Palo_Alto_Networks, attack_target Server, tls_state TLSDecrypt, created_at 2025_09_26, cve CVE_2025_0133, deployment Perimeter, deployment Int
Nuclei
PAN-OS - Reflected Cross-Site Scripting
nuclei·CVSS 2.7
CVE-2025-0133 [LOW] PAN-OS - Reflected Cross-Site Scripting
PAN-OS - Reflected Cross-Site Scripting
A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link.The primary risk is phishing attacks that can lead to credential theft—particularly if you enabled Clientless VPN.
Template:
id: CVE-2025-0133
info:
name: PAN-OS - Reflected Cross-Site Scripting
author: xbow,DhiyaneshDK
severity: medium
description: |
A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context of an authen
HackerOne
Reflected XSS Vulnerability in SSL VPN Endpoint — CVE-2025-0133
hackerone·2026-01-12·CVSS 2.7
CVE-2025-0133 [LOW] Reflected XSS Vulnerability in SSL VPN Endpoint — CVE-2025-0133
Reflected XSS Vulnerability in SSL VPN Endpoint — CVE-2025-0133
### **Vulnerable Website URL or Application:**
```
█████
```
---
### **Description of Security Issue:**
The SSL VPN endpoint exposed at the above IP address is vulnerable to **Reflected Cross-Site Scripting (XSS)** via the `user` parameter.
This issue corresponds to **CVE-2025-0133**, which allows an unauthenticated attacker to inject and execute arbitrary JavaScript in the browser of a victim who clicks on a maliciously crafted link.
Successful exploitation may lead to:
* Session hijacking
* Credential theft
* Browser-based exploits
This vulnerability poses a serious risk when combined with phishing or social engineering attacks.
---
### **Exploit Scenario:**
An attacker crafts a malicious link to the VPN endpoin
HackerOne
Reflected XSS via user parameter on getconfig.esp endpoint
hackerone·2026-01-12·CVSS 2.7
[LOW] Reflected XSS via user parameter on getconfig.esp endpoint
Reflected XSS via user parameter on getconfig.esp endpoint
**Description:**
The getconfig.esp endpoint reflects unsanitized user input provided in the user parameter directly into the HTML response. This results in a Reflected Cross-Site Scripting (XSS) vulnerability.
An attacker can trick a victim into clicking a crafted URL, resulting in arbitrary JavaScript execution in the context of the victim's browser. This can lead to cookie theft, session hijacking, phishing, or browser-based exploitation.
##Proof of Concept (PoC):
```
█████████prompt("XSS")&domain=(empty_domain)&computer=computer
```
## Impact
- Session Hijacking
- Phishing & Credential Theft
- Browser-based Exploitation
- Access to Internal VPN Resources (if session cookies are stolen)
## System Host(s)
██████████
## A
2025-05-14
Published