{"document":{"category":"csaf_vex","csaf_version":"2.1","notes":[{"category":"summary","text":"Palo Alto Networks PSIRT provided VEX document. This document is autogenerated.","title":"PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in GlobalProtect Gateway and Portal"}],"publisher":{"category":"vendor","name":"Palo Alto Networks","namespace":"https://security.paloaltonetworks.com"},"title":"Palo Alto Networks PSIRT provided VEX document: CVE-2025-0133","distribution":{"text":"Copyright © 2024 Palo Alto Networks. All rights reserved.","tlp":{"label":"CLEAR","url":"https://www.first.org/tlp/"}},"tracking":{"current_release_date":"2026-04-15T17:41:36.705Z","generator":{"date":"2026-04-15T17:41:36.705Z","engine":{"name":"Vulnogram","version":"0.1.0-dev"}},"id":"CVE-2025-0133","initial_release_date":"2025-05-14T16:00:00.000Z","revision_history":[{"number":"1","date":"2025-05-14T09:00:00.000Z","summary":"Initial Publication"},{"number":"2","date":"2025-05-15T12:00:00.000Z","summary":"Added Prisma Access and Cloud NGFW to Affected Products. "},{"number":"3","date":"2025-05-15T13:00:00.000Z","summary":"Changed Expected Fix Release for PAN-OS 11.2"},{"number":"4","date":"2025-05-20T17:00:00.000Z","summary":"Removed Prisma Access from Affected Products. "},{"number":"5","date":"2025-05-21T13:30:00.000Z","summary":"Removed Cloud NGFW from Affected Products"},{"number":"6","date":"2025-06-18T12:15:00.000Z","summary":"Changed Content Version for Mitigation and Updated Version ETAs"},{"number":"7","date":"2025-07-03T23:30:00.000Z","summary":"Added Releases with the Software Fix, Updated Recommended Content Version, and Added Guidance for Prisma Access. "},{"number":"8","date":"2025-07-09T09:00:00.000Z","summary":"Added fix version for PAN-OS 10.2. "}],"status":"final","version":"1"}},"product_tree":{"branches":[{"name":"Palo Alto Networks","category":"vendor","branches":[{"name":"Cloud NGFW","category":"product_name","branches":[{"category":"product_version","name":"Cloud NGFW All","product":{"name":"Palo Alto Networks Cloud NGFW","product_id":"PANW-Cloud-NGFW-1"}}]},{"name":"PAN-OS","category":"product_name","branches":[{"category":"product_version_range","name":"vers:generic/PAN-OS<11.2.7","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-689"}},{"category":"product_version_range","name":"vers:generic/PAN-OS>=11.2.7","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-689"}},{"category":"product_version_range","name":"vers:generic/PAN-OS>=11.2.4-h9","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-704"}},{"category":"product_version_range","name":"vers:generic/PAN-OS<11.1.6-h14","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-703"}},{"category":"product_version_range","name":"vers:generic/PAN-OS>=11.1.10-h1","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-705"}},{"category":"product_version_range","name":"vers:generic/PAN-OS>=11.1.6-h14","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-703"}},{"category":"product_version_range","name":"vers:generic/PAN-OS<10.2.16-h1","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-699"}},{"category":"product_version_range","name":"vers:generic/PAN-OS>=10.2.16-h1","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-699"}},{"category":"product_version_range","name":"vers:generic/PAN-OS>=10.1.0","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-118"}}]},{"name":"Prisma Access","category":"product_name","branches":[{"category":"product_version","name":"Prisma Access All","product":{"name":"Palo Alto Networks Prisma Access","product_id":"PANW-Prisma-Access-1"}}]}]}]},"vulnerabilities":[{"cve":"CVE-2025-0133","product_status":{"fixed":["PANW-PAN-OS-689","PANW-PAN-OS-704","PANW-PAN-OS-705","PANW-PAN-OS-703","PANW-PAN-OS-699"],"known_affected":["PANW-Cloud-NGFW-1","PANW-PAN-OS-689","PANW-PAN-OS-703","PANW-PAN-OS-699","PANW-PAN-OS-118","PANW-Prisma-Access-1"]},"notes":[{"category":"description","text":"A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link. The primary risk is phishing attacks that can lead to credential theft—particularly if you enabled Clientless VPN.\n\nThere is no availability impact to GlobalProtect features or GlobalProtect users. Attackers cannot use this vulnerability to tamper with or modify contents or configurations of the GlobalProtect portal or gateways. The integrity impact of this vulnerability is limited to enabling an attacker to create phishing and credential-stealing links that appear to be hosted on the GlobalProtect portal.\n\n\n\nFor GlobalProtect users with Clientless VPN enabled, there is a limited impact on confidentiality due to inherent risks of Clientless VPN that facilitate credential theft. You can read more about this risk in the informational bulletin PAN-SA-2025-0005 (https://security.paloaltonetworks.com/PAN-SA-2025-0005)https://security.paloaltonetworks.com/PAN-SA-2025-0005. There is no impact to confidentiality for GlobalProtect users if you did not enable (or you disable) Clientless VPN."}],"references":[{"category":"external","summary":"NVD - CVE-2025-0133","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-0133"},{"category":"self","summary":"Palo Alto Networks Security Advisory CVE-2025-0133","url":"https://security.paloaltonetworks.com/CVE-2025-0133"}],"threats":[{"category":"impact","description":"A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link. The primary risk is phishing attacks that can lead to credential theft—particularly if you enabled Clientless VPN.\n\nThere is no availability impact to GlobalProtect features or GlobalProtect users. Attackers cannot use this vulnerability to tamper with or modify contents or configurations of the GlobalProtect portal or gateways. The integrity impact of this vulnerability is limited to enabling an attacker to create phishing and credential-stealing links that appear to be hosted on the GlobalProtect portal.\n\n\n\nFor GlobalProtect users with Clientless VPN enabled, there is a limited impact on confidentiality due to inherent risks of Clientless VPN that facilitate credential theft. You can read more about this risk in the informational bulletin PAN-SA-2025-0005 (https://security.paloaltonetworks.com/PAN-SA-2025-0005)https://security.paloaltonetworks.com/PAN-SA-2025-0005. There is no impact to confidentiality for GlobalProtect users if you did not enable (or you disable) Clientless VPN."}],"scores":[{"cvss_v4":{"version":"4.0","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"ACTIVE","vulnConfidentialityImpact":"NONE","subConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","subIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subAvailabilityImpact":"NONE","Safety":"NOT_DEFINED","Automatable":"NO","Recovery":"USER","valueDensity":"DIFFUSE","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"AMBER","exploitMaturity":"POC","baseSeverity":"MEDIUM","baseScore":5.1,"threatSeverity":"LOW","threatScore":2,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/AU:N/R:U/V:D/U:Amber"},"products":["PANW-Cloud-NGFW-1","PANW-PAN-OS-689","PANW-PAN-OS-703","PANW-PAN-OS-699","PANW-PAN-OS-118","PANW-Prisma-Access-1"]},{"cvss_v4":{"version":"4.0","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","subConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","subIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subAvailabilityImpact":"NONE","Safety":"NEGLIGIBLE","Automatable":"NO","Recovery":"USER","valueDensity":"DIFFUSE","vulnerabilityResponseEffort":"MODERATE","providerUrgency":"AMBER","exploitMaturity":"POC","baseSeverity":"MEDIUM","baseScore":6.9,"threatSeverity":"MEDIUM","threatScore":5.5,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/S:N/AU:N/R:U/V:D/RE:M/U:Amber"},"products":["PANW-Cloud-NGFW-1","PANW-PAN-OS-689","PANW-PAN-OS-703","PANW-PAN-OS-699","PANW-PAN-OS-118","PANW-Prisma-Access-1"]}]}]}