Post

Bug Bounty Writeup: Reflected XSS via CVE-2025-0133 on PAN-OS

Posted
Reflected XSS PoC
Reflected XSS PoC
By tambesec
3 min read
Bug Bounty Writeup: Reflected XSS via CVE-2025-0133 on PAN-OS

Overview

Hello everyone! In this writeup, I want to share a recent finding from a bug bounty program on Bugcrowd that was triaged as a P3.

While performing perimeter recon on a target’s infrastructure, I identified an exposed VPN portal vulnerable to CVE-2025-0133 — a Reflected Cross-Site Scripting (XSS) vulnerability affecting Palo Alto Networks PAN-OS GlobalProtect portals.

For security and compliance reasons, the target’s domain and identifying information have been redacted.

  • Target Location: *.[REDACTED].com
  • Target Category: Web App
  • VRT: Cross-Site Scripting (XSS) > Reflected > Non-Self
  • Priority: P3
  • Bug URL: https://vpn.[REDACTED].com/

Description

When an attacker can control code that is executed within a user’s browser via Reflected XSS, they are able to carry out any actions that the user is able to perform, including accessing the user’s data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies to hijack a user’s session.

Business Impact

Reflected XSS could lead to data theft through the attacker’s ability to manipulate data and interact with other users. These malicious actions could appear to originate from a legitimate user and result in serious reputational damage for the business due to the impact on customers’ trust.

If exploited, this vulnerability enables an attacker to:

  • Execute arbitrary JavaScript within the victim’s browser.
  • Steal sensitive information such as session cookies, tokens, or stored data.
  • Perform actions on behalf of the victim user (session hijacking).
  • Conduct phishing attacks by injecting fake login forms or malicious scripts.

Steps to Reproduce

1. Identify the Vulnerable Service

During my initial reconnaissance targeting the *.[REDACTED].com wildcard, I actively looked for exposed infrastructure and corporate assets. I stumbled upon vpn.[REDACTED].com, which hosted a Palo Alto GlobalProtect portal.

Knowing that CVE-2025-0133 (a known Reflected XSS flaw in PAN-OS) had recently been published, I decided to test if their instance was patched.

2. Craft the XSS Payload

The vulnerability in CVE-2025-0133 exists in the /ssl-vpn/getconfig.esp endpoint, where user inputs like the user parameter are not properly sanitized before being reflected in the response.

I constructed the following URL with a basic SVG XSS payload (<svg xmlns="http://www.w3.org/2000/svg"><script>prompt("XSS")</script></svg>):

1

https://vpn.[REDACTED].com/ssl-vpn/getconfig.esp?client-type=1&protocol-version=p1&app-version=3.0.1-10&clientos=Linux&os-version=linux-64&hmac-algo=sha1%2Cmd5&enc-algo=aes-128-cbc%2Caes-256-cbc&authcookie=12cea70227d3aafbf25082fac1b6f51d&portal=us-vpn-gw-N&user=%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Cscript%3Eprompt%28%22XSS%22%29%3C%2Fscript%3E%3C%2Fsvg%3E&domain=%28empty_domain%29&computer=computer

Decoded user parameter for clarity:

1

<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>

3. Observe the Execution

Using a browser, I navigated to the crafted payload URL. As expected, the PAN-OS portal reflected the unsanitized user parameter back to the browser with a Content-Type that allowed HTML/JavaScript execution. The JavaScript prompt popped up, successfully confirming the Reflected XSS!

Proof of Concept (PoC)

Below are the screenshots demonstrating the injected JavaScript executing on the vulnerable endpoint:

PoC 1 (Image: JavaScript execution triggered on the vulnerable endpoint)

PoC 2 (Image: Further demonstration of the XSS vulnerability)

Conclusion & Remediation Advice

Finding N-days like CVE-2025-0133 on external enterprise perimeters highlights the importance of timely patch management. External portals (like VPNs) are prime targets because they are exposed to the public internet by design.

To properly secure this endpoint against CVE-2025-0133, organizations must:

  1. Upgrade PAN-OS to a fixed version: Install the official patches provided by Palo Alto Networks (e.g., versions 11.2.7+, 11.1.10-h1+, or 10.2.16-h1+).
  2. Apply strict Content Security Policy (CSP): A robust CSP will mitigate exploitation by preventing the execution of unauthorized inline scripts.
  3. Disable Unnecessary Features: If the Clientless VPN feature is not actively required by the organization, disabling it will actively reduce the attack surface.
  4. Input Encoding & Sanitization: While vendor patches handle this natively now, it is a general best practice to effectively encode and sanitize all user input before reflecting it into the response.

Final Thoughts

A big thank you to the target company’s security team and the Bugcrowd triage team for their fast response in verifying this report. Continuously monitoring your attack surface for freshly disclosed N-days is an incredibly effective Bug Bounty strategy.

References

Thanks for reading, and happy hunting!

Bug Bounty
writeups bugbounty xss p3 bugcrowd cve-2025-0133
This post is licensed under CC BY 4.0 by the author.