Security researchers have identified a noteworthy cross-site scripting vulnerability, designated as CVE-2024-0133, affecting Palo Alto Networks‘ PAN-OS GlobalProtect gateway and portal features across multiple versions. The vulnerability, disclosed on May 14, 2025, impacts PAN-OS versions 11.2 (prior to 11.2.7), 11.1 (prior to 11.1.11), 10.2 (prior to 10.2.17), and 10.1, in addition to Cloud NGFW and Prisma Access deployments. Fixed versions are expected to be released through phased updates between June and August 2025.
The reflected XSS vulnerability permits attackers to craft malicious JavaScript links that execute within authenticated users’ browser sessions when clicked through the Captive Portal. Although the vulnerability’s severity is rated LOW with a CVSS score of 2.0 in standard configurations, the risk rises to MEDIUM (CVSS 5.5) when Clientless VPN functionality is activated, greatly expanding the potential attack surface. When implemented alongside the OPSWAT MetaDefender SDK, the GlobalProtect App exhibits additional privilege management vulnerabilities that compound the security risk. Organizations face an average cost of data breach costs reaching $4.35 million when such vulnerabilities are successfully exploited.
Authenticated users face elevated risk when Clientless VPN is enabled, turning a minor XSS vulnerability into a more serious security concern.
The primary threat vector centers on sophisticated phishing campaigns that utilize the trusted GlobalProtect portal interface. Attackers can redirect authenticated users to convincing credential-harvesting pages that appear legitimate because of the preserved portal branding and active session context. This attack method proves particularly effective as it circumvents traditional email security measures by exploiting established trust in the VPN infrastructure.
Palo Alto Networks has implemented multiple mitigation strategies for affected customers. Organizations utilizing the Threat Prevention subscription can activate Threat IDs 510003 and 510004 to block exploitation attempts. These protective measures are automatically active for Prisma Access customers. The vendor strongly recommends disabling Clientless VPN functionality where possible and upgrading to the latest maintenance releases of affected PAN-OS versions.
Although investigation has revealed no evidence of attackers successfully achieving remote code execution or privilege escalation through this vulnerability, the risk of credential theft remains substantial. The flaw, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), highlights the ongoing challenges in securing web-based authentication portals against sophisticated social engineering attacks that exploit user trust in legitimate security infrastructure.
