A recently identified vulnerability, classified as CVE-2025-0133, poses risks to Palo Alto Networks’ GlobalProtect configurations, particularly affecting firewalls with the GlobalProtect gateway or portal activated. This issue has been assessed as low severity unless the Clientless VPN option is activated, which greatly amplifies the risks. When exploited, this reflected cross-site scripting (XSS) vulnerability allows limited impacts on confidentiality, particularly in scenarios where users are tricked into revealing their credentials.
Exploitation of CVE-2025-0133 is contingent upon attackers targeting users accessing a compromised GlobalProtect gateway or portal page. This attack can be conducted remotely by individuals with network access, and it takes advantage of malformed inputs to execute arbitrary scripts within the victim’s browser session. Significantly, the presence of a Clientless VPN escalates the potential for credential theft, making this configuration particularly vulnerable. Additionally, it is important to note that the vulnerability affects PAN-OS versions with specific exposure levels based on the version. Furthermore, the issue has been fixed in PAN-OS versions 10.2.4, 11.0.1, and all later versions.
The vulnerability has been assigned a CVSS-B score of 6.9, indicating a moderate level of risk that is less pronounced without this specific configuration.
In terms of affected systems, specific PAN-OS versions display varied exposure. For instance, PAN-OS 11.2 is only vulnerable in versions below 11.2.7, with patch availability anticipated in June 2025. Whereas other versions such as 10.1 exhibit thorough vulnerabilities with no unaffected releases. Critically, both Cloud NGFW and Prisma Access remain unaffected by this issue.
Mitigation strategies must be a priority for administrators managing these devices. Experts stress the urgency of updating to unaffected versions as soon as they become available. Furthermore, disabling the Clientless VPN function may provide an effective safeguard against credential theft risks.
Though CVE-2025-0133 may be less severe compared to prior vulnerabilities like CVE-2024-3400, it still highlights a considerable and persistent risk within the domain of VPN technologies, reiterating the need for vigilant security practices.
