CVE-2025-0133: 
PAN-OS vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability was discovered in the GlobalProtect gateway and portal features of Palo Alto Networks PAN-OS software, identified as CVE-2025-0133. The vulnerability was disclosed on May 14, 2025, affecting multiple versions of PAN-OS including 11.2 (versions < 11.2.7), 11.1 (versions < 11.1.11), 10.2 (versions < 10.2.17), and all versions of 10.1 (Palo Advisory).

The vulnerability enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link. The severity is rated as LOW with a CVSS Base Score of 2.0 without Clientless VPN, and MEDIUM with a CVSS Base Score of 5.5 when Clientless VPN is enabled. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (Palo Advisory).

The primary risk associated with this vulnerability is phishing attacks that can lead to credential theft, particularly when Clientless VPN is enabled. There is no availability impact to GlobalProtect features or users, and attackers cannot tamper with or modify contents or configurations of the GlobalProtect portal or gateways. The integrity impact is limited to enabling an attacker to create phishing and credential-stealing links that appear to be hosted on the GlobalProtect portal. For users with Clientless VPN enabled, there is a limited impact on confidentiality due to inherent risks that facilitate credential theft (Palo Advisory).

Palo Alto Networks has scheduled patches for affected versions: PAN-OS 11.2.7 (ETA June 2025), PAN-OS 11.1.11 (ETA July 2025), and PAN-OS 10.2.17 (ETA August 2025). As temporary mitigations, customers with a Threat Prevention subscription can block attacks by enabling Threat ID 510003 and 510004 (introduced in Applications and Threats content version 8970). Additionally, administrators can disable Clientless VPN to reduce risk (Palo Advisory).