Palo Alto Networks has disclosed a reflected cross-site scripting (XSS) vulnerability, tracked as CVE-2025-0133, affecting the GlobalProtect gateway and portal features of its PAN-OS software. The flaw enables execution of malicious JavaScript in authenticated Captive Portal user browsers when victims click specially crafted links. It poses a significant threat to organizations utilizing the Clientless VPN feature. While rated low severity (CVSS Base Score 2.0) under default configurations, the risk elevates to MEDIUM (CVSS 5.5) when Clientless VPN is enabled.

‍