CVE-2025-0133

LOW NUCLEI

PAN-OS 10.1.0-11.2.7 - Reflected Cross-Site Scripting in GlobalProtect Captive Portal

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 7 public exploits for CVE-2025-0133. PoCs published by ynsmroztas, INTELEON404, dodiorne. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a Python-based exploit for CVE-2025-0133, targeting a reflected XSS vulnerability in GlobalProtect SSL VPN's `/ssl-vpn/getconfig.esp` endpoint. The exploit crafts a malicious URL with an XSS payload embedded in the `user` parameter, which triggers a JavaScript prompt when rendered.

Description

A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link. The primary risk is phishing attacks that can lead to credential theft—particularly if you enabled Clientless VPN. There is no availability impact to GlobalProtect features or GlobalProtect users. Attackers cannot use this vulnerability to tamper with or modify contents or configurations of the GlobalProtect portal or gateways. The integrity impact of this vulnerability is limited to enabling an attacker to create phishing and credential-stealing links that appear to be hosted on the GlobalProtect portal. For GlobalProtect users with Clientless VPN enabled, there is a limited impact on confidentiality due to inherent risks of Clientless VPN that facilitate credential theft. You can read more about this risk in the informational bulletin PAN-SA-2025-0005 https://security.paloaltonetworks.com/PAN-SA-2025-0005 https://security.paloaltonetworks.com/PAN-SA-2025-0005 . There is no impact to confidentiality for GlobalProtect users if you did not enable (or you disable) Clientless VPN.

Exploits (7)

nomisec WORKING POC 18 stars
by ynsmroztas · poc
https://github.com/ynsmroztas/-CVE-2025-0133-GlobalProtect-XSS

This repository contains a Python-based exploit for CVE-2025-0133, targeting a reflected XSS vulnerability in GlobalProtect SSL VPN's `/ssl-vpn/getconfig.esp` endpoint. The exploit crafts a malicious URL with an XSS payload embedded in the `user` parameter, which triggers a JavaScript prompt when rendered.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Palo Alto Networks GlobalProtect SSL VPN (version not specified)
No auth needed
Prerequisites: Target URL with accessible `/ssl-vpn/getconfig.esp` endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 9 stars
by INTELEON404 · poc
https://github.com/INTELEON404/CVE-2025-0133

This repository contains a Bash-based scanner tool for detecting CVE-2025-0133, a Reflected XSS vulnerability in Palo Alto GlobalProtect Gateway & Portal. It leverages nuclei and shodanx to automate the scanning process.

Classification
Working Poc | Scanner 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Palo Alto Networks GlobalProtect Portal (PAN-OS)
No auth needed
Prerequisites: nuclei installed · shodanx installed and configured · CVE-2025-0133 nuclei template
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 4 stars
by dodiorne · poc
https://github.com/dodiorne/cve-2025-0133

This repository contains a Python-based scanner for detecting CVE-2025-0133, a reflected XSS vulnerability in Palo Alto Networks GlobalProtect Portal (PAN-OS). The tool tests multiple parameters with context-specific payloads and logs results for analysis.

Classification
Scanner 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Palo Alto Networks PAN-OS (GlobalProtect Portal / Gateway)
No auth needed
Prerequisites: Python 3.x · requests library · colorama library · network access to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by cruxN3T · poc
https://github.com/cruxN3T/CVE-2025-0133

This repository contains a functional exploit PoC for CVE-2025-0133, a reflected XSS vulnerability in Palo Alto PAN-OS GlobalProtect gateway and portal. The exploit leverages the `user` query parameter in the `getconfig.esp` handler to execute JavaScript in the context of the VPN portal.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Palo Alto PAN-OS GlobalProtect gateway and portal
No auth needed
Prerequisites: Victim must be lured to a crafted link · Target must be running vulnerable PAN-OS version
devstral-2 · analyzed May 10, 2026 Full analysis →
nomisec WRITEUP
by adhamelhansye · poc
https://github.com/adhamelhansye/CVE-2025-0133

This repository contains a writeup describing CVE-2025-0133, a reflected XSS vulnerability in Palo Alto Networks PAN-OS GlobalProtect gateway and portal. The vulnerability allows arbitrary JavaScript execution in the context of an authenticated user's browser via a crafted link.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Palo Alto Networks PAN-OS (11.2 < 11.2.7, 11.1 < 11.1.11, 10.2 < 10.2.17)
Auth required
Prerequisites: Authenticated access to the Captive Portal · Victim interaction (clicking a crafted link)
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER
by shawarkhanethicalhacker · poc
https://github.com/shawarkhanethicalhacker/CVE-2025-0133-exploit

This repository contains a Python script to scan for CVE-2025-0133, a reflected XSS vulnerability in Palo Alto's `getconfig.esp` endpoint. The script sends a probe request to detect Palo Alto and then tests for XSS by injecting a payload into the `user` parameter.

Classification
Scanner 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Palo Alto SSL VPN (specific version not specified)
No auth needed
Prerequisites: Network access to the target Palo Alto SSL VPN endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER
by wiseep · poc
https://github.com/wiseep/CVE-2025-0133

This repository contains a Python-based scanner for CVE-2025-0133, which targets a reflected XSS vulnerability in Palo Alto GlobalProtect gateways/portals. The script checks multiple URLs for the presence of an XSS payload and logs vulnerable endpoints.

Classification
Scanner 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Palo Alto GlobalProtect (PAN-OS with GlobalProtect gateway/portal enabled)
No auth needed
Prerequisites: List of target URLs with GlobalProtect gateways/portals
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

PAN-OS - Reflected Cross-Site Scripting
MEDIUMVERIFIEDby xbow,DhiyaneshDK
Shodan: http.favicon.hash:"-631559155" || cpe:"cpe:2.3:o:paloaltonetworks:pan-os"
FOFA: icon_hash="-631559155"

References (1)

Core 1
Core References
Various Sources vendor-advisory
https://security.paloaltonetworks.com/CVE-2025-0133

Scores

CVSS v4 1.2
EPSS 0.3138
EPSS Percentile 98.0%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/U:Amber

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (9)
Palo Alto Networks/Cloud NGFW All - 11.2.8
Palo Alto Networks/PAN-OS 10.1.0
Palo Alto Networks/PAN-OS 10.2.0 - 10.2.16-h1
Palo Alto Networks/PAN-OS 10.2.0 - 10.2.17
Palo Alto Networks/PAN-OS 11.1.0 - 11.1.11
Palo Alto Networks/PAN-OS 11.1.0 - 11.1.6-h14
Palo Alto Networks/PAN-OS 11.2.0 - 11.2.7
Palo Alto Networks/PAN-OS 11.2.0 - 11.2.8
Palo Alto Networks/Prisma Access All
Published May 14, 2025
Tracked Since Feb 18, 2026