CVE-2025-0133: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Palo Alto Networks Cloud NGFW
A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link. The primary risk is phishing attacks that can lead to credential theft—particularly if you enabled Clientless VPN. There is no availability impact to GlobalProtect features or GlobalProtect users. Attackers cannot use this vulnerability to tamper with or modify contents or configurations of the GlobalProtect portal or gateways. The integrity impact of this vulnerability is limited to enabling an attacker to create phishing and credential-stealing links that appear to be hosted on the GlobalProtect portal. For GlobalProtect users with Clientless VPN enabled, there is a limited impact on confidentiality due to inherent risks of Clientless VPN that facilitate credential theft. You can read more about this risk in the informational bulletin PAN-SA-2025-0005 https://security.paloaltonetworks.com/PAN-SA-2025-0005 https://security.paloaltonetworks.com/PAN-SA-2025-0005 . There is no impact to confidentiality for GlobalProtect users if you did not enable (or you disable) Clientless VPN.
AI Analysis
Technical Summary
This vulnerability involves improper neutralization of input during web page generation (CWE-79) in the GlobalProtect gateway and portal features of Palo Alto Networks PAN-OS software. An attacker can craft a link that, when clicked by an authenticated Captive Portal user, executes malicious JavaScript in the user's browser context. This can facilitate phishing attacks that appear to originate from the GlobalProtect portal, potentially leading to credential theft. The vulnerability does not affect availability or allow modification of portal or gateway configurations. Confidentiality impact is limited to scenarios where Clientless VPN is enabled, increasing the risk of credential theft. No patch or official fix information is provided in the advisory. The vendor has published an informational bulletin (PAN-SA-2025-0005) detailing the risk associated with Clientless VPN.
Potential Impact
The vulnerability enables attackers to conduct phishing attacks by executing malicious scripts in the browser of authenticated Captive Portal users, potentially leading to credential theft. There is no impact on system availability or integrity of GlobalProtect portal or gateway configurations. Confidentiality impact is limited and only applies if Clientless VPN is enabled, due to inherent risks in that feature. Users without Clientless VPN enabled are not impacted in terms of confidentiality.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory PAN-SA-2025-0005 for current remediation guidance. In the meantime, disabling Clientless VPN reduces confidentiality risks associated with this vulnerability. Users should refer to the Palo Alto Networks advisory for detailed mitigation steps. No official fix or patch information is currently provided.
CVE-2025-0133: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Palo Alto Networks Cloud NGFW
Description
A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link. The primary risk is phishing attacks that can lead to credential theft—particularly if you enabled Clientless VPN. There is no availability impact to GlobalProtect features or GlobalProtect users. Attackers cannot use this vulnerability to tamper with or modify contents or configurations of the GlobalProtect portal or gateways. The integrity impact of this vulnerability is limited to enabling an attacker to create phishing and credential-stealing links that appear to be hosted on the GlobalProtect portal. For GlobalProtect users with Clientless VPN enabled, there is a limited impact on confidentiality due to inherent risks of Clientless VPN that facilitate credential theft. You can read more about this risk in the informational bulletin PAN-SA-2025-0005 https://security.paloaltonetworks.com/PAN-SA-2025-0005 https://security.paloaltonetworks.com/PAN-SA-2025-0005 . There is no impact to confidentiality for GlobalProtect users if you did not enable (or you disable) Clientless VPN.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability involves improper neutralization of input during web page generation (CWE-79) in the GlobalProtect gateway and portal features of Palo Alto Networks PAN-OS software. An attacker can craft a link that, when clicked by an authenticated Captive Portal user, executes malicious JavaScript in the user's browser context. This can facilitate phishing attacks that appear to originate from the GlobalProtect portal, potentially leading to credential theft. The vulnerability does not affect availability or allow modification of portal or gateway configurations. Confidentiality impact is limited to scenarios where Clientless VPN is enabled, increasing the risk of credential theft. No patch or official fix information is provided in the advisory. The vendor has published an informational bulletin (PAN-SA-2025-0005) detailing the risk associated with Clientless VPN.
Potential Impact
The vulnerability enables attackers to conduct phishing attacks by executing malicious scripts in the browser of authenticated Captive Portal users, potentially leading to credential theft. There is no impact on system availability or integrity of GlobalProtect portal or gateway configurations. Confidentiality impact is limited and only applies if Clientless VPN is enabled, due to inherent risks in that feature. Users without Clientless VPN enabled are not impacted in terms of confidentiality.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory PAN-SA-2025-0005 for current remediation guidance. In the meantime, disabling Clientless VPN reduces confidentiality risks associated with this vulnerability. Users should refer to the Palo Alto Networks advisory for detailed mitigation steps. No official fix or patch information is currently provided.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- palo_alto
- Date Reserved
- 2024-12-20T23:23:33.828Z
- Cisa Enriched
- true
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 682cd0fb1484d88663aec823
Added to database: 5/20/2025, 6:59:07 PM
Last enriched: 4/3/2026, 5:57:38 AM
Last updated: 5/8/2026, 7:39:47 PM
Views: 83
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.