PatchSiren cyber security CVE debrief
CVE-2025-0133 Palo Alto Networks CVE debrief
CVE-2025-0133 was published on 2025-06-10 and updated on 2026-03-12. The supplied source corpus describes a reflected cross-site scripting (XSS) issue in GlobalProtect gateway and portal features that can execute malicious JavaScript in an authenticated Captive Portal user's browser after they click a specially crafted link. The main impact described is phishing and credential theft, especially where Clientless VPN is enabled. One important caveat: the source material contains a product/vendor mismatch, associating the advisory metadata with Siemens RUGGEDCOM APE1808 while the vulnerability description references Palo Alto Networks PAN-OS. Treat the affected-product mapping as needing confirmation before making asset decisions.
- Vendor
- Palo Alto Networks
- Product
- RUGGEDCOM APE1808
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-10
- Original CVE updated
- 2026-03-12
- Advisory published
- 2025-06-10
- Advisory updated
- 2026-03-12
Who should care
Security teams, network/application owners, and IAM/helpdesk staff responsible for GlobalProtect, captive portal, or Clientless VPN deployments; also anyone verifying whether the affected asset is actually a PAN-OS/GlobalProtect system versus the Siemens-mapped advisory metadata in the source corpus.
Technical summary
The vulnerability is a reflected XSS condition: a specially crafted link can cause malicious JavaScript to run in the browser context of an authenticated Captive Portal user. The CVSS vector provided is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, which aligns with a user-interaction-dependent attack that primarily affects integrity through script execution and phishing workflows. The supplied advisory text specifically highlights credential theft risk and notes that Clientless VPN increases concern. However, the source corpus metadata is internally inconsistent about the affected vendor/product, so the exact asset mapping should be validated against the official vendor advisory before remediation rollout.
Defensive priority
Medium
Recommended defensive actions
- Disable Clientless VPN where feasible, as called out in the source advisory.
- Apply the vendor's patch/update guidance as soon as it is available through customer support or the official advisory path.
- Review and restrict exposure of GlobalProtect gateway and portal functions to the minimum necessary audience.
- Warn users that specially crafted links may be malicious, particularly in captive portal and remote-access workflows.
- Validate the asset-to-advisory mapping in your environment because the provided source corpus conflicts on vendor/product attribution.
Evidence notes
Evidence is drawn only from the supplied CISA CSAF source item and its referenced advisory metadata. The source description states: reflected XSS in GlobalProtect gateway and portal features; malicious JavaScript executes in an authenticated Captive Portal user's browser after clicking a specially crafted link; phishing and credential theft are the primary risks; Clientless VPN increases concern. The CVSS vector supplied is AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The source corpus also contains a notable inconsistency: vendor/product metadata lists Siemens RUGGEDCOM APE1808, while the CVE description references Palo Alto Networks PAN-OS. That mismatch is preserved here as an evidence-quality issue rather than resolved as fact.
Official resources
-
CVE-2025-0133 CVE record
CVE.org
-
CVE-2025-0133 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2025-06-10 and updated on 2026-03-12. The supplied source corpus contains a vendor/product inconsistency, so affected-asset mapping should be verified against the official advisory before actioning remediation.