PAN-SA-2025-0005 GlobalProtect Clientless VPN: Clientless VPN Misconfiguration Allows Cross-Site Attacks
Informational
Description
Palo Alto Networks GlobalProtect Clientless VPN is intended to provide secure remote access to trusted internal applications. It is not meant to provide access to the Internet, intranet or multiple websites.
When the Clientless VPN is misconfigured to allow access to the Internet or any internal website, it allows malicious scripts on one site to obtain sensitive information or modify content of any application accessible through the VPN including Clientless VPN itself.
For further details about the risks of Clientless VPNs please refer to https://www.kb.cert.org/vuls/id/261869
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS | All | None |
| Prisma Access | All | None |
Required Configuration for Exposure
All of the following must be true to be impacted by this:
- You have a valid GlobalProtect Subscription license.
- Clientless VPN is enabled in the GlobalProtect Portal configuration.
- Browse to [ Network > GlobalProtect > Portals > Click on Portal config to open
- Select [ Clientless VPN tab > General ] If the Clientless VPN checkbox is checked, then the feature is enabled. Take note of the “Security Zones” configured for the next step.
- Browse to [ Network > GlobalProtect > Portals > Click on Portal config to open
- Security Policies allow Clientless VPN access to more than one internal or external Application.
- From the previous step, use the “Security Zones” configured to verify existing Security Policies for Clientless VPN. In our example, it is named “Clientless-VPN”.
- Go to [Policies > Security ]. In the search bar, type the found “Security Zones” name (Clientless-VPN in our example), to verify existing Security Policies for Clientless VPN that allow access to more than one trusted site.
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Workarounds and Mitigations
The Clientless VPN feature only ensures secure remote access to a single trusted application. Ensure that the Clientless VPN access is limited by Security Policies to a single trusted site. Refer to the Configure Clientless VPN page for additional details.
For accessing multiple applications, since the Same-Origin Policy is not enforced, we strongly recommend configuring access to only trusted pages through Clientless VPN.
Clientless VPN should never be used to allow access to the internet or intranet. If you need to secure access to untrusted websites, please consider the following alternatives:
- GlobalProtect App
- Supported Third Party VPN Client
- Prisma Access Browser
- Web Proxy (Note: Web Proxy can only be used to improve web browsing safety. It cannot be used as a VPN.)