Share
## https://sploitus.com/exploit?id=BDD2BFB9-2490-558F-B2CE-A14B786899D3
# CVE-2025-0133

Palo Alto PAN-OS reflected XSS in the GlobalProtect gateway and portal
`getconfig.esp` handler. The `user` query parameter is reflected unencoded
into the Captive Portal page; an attacker who lures an authenticated
GlobalProtect user to a crafted link can execute JavaScript in the trust
context of the corporate VPN portal, which makes phishing campaigns far more
effective.

Disclosed May 2025. Patched in PAN-SA-2025-0005. Discovered by
[XBOW](https://xbow.com/), Anthropic's autonomous bug-hunting agent. This
toolkit is a port of the validation pipeline originally built for
CVE-2020-3580 โ€” same architecture, different endpoint, different parameter,
five years of CVEs apart.

This repo contains:

- `xss.html` โ€” the human-verifiable PoC; edit `TARGET_HOST` and open in a
  browser to see the prompt fire.
- `src/` โ€” a discovery + scope-aware validation pipeline.
- `docs/` โ€” methodology and ethics.

## What the pipeline does

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”   โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”   โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”   โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ Shodan   โ”‚ โ†’ โ”‚ scope match  โ”‚ โ†’ โ”‚ canary check   โ”‚ โ†’ โ”‚ MD report    โ”‚
โ”‚ (3 dorks)โ”‚   โ”‚ (H1, BC, +)  โ”‚   โ”‚ (no JS exec)   โ”‚   โ”‚ drafts       โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜   โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜   โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜   โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

Each stage writes an inspectable JSON artifact and runs independently.

The validator does **not** fire `prompt()`. It GETs `/ssl-vpn/getconfig.esp`
with a unique canary string in the `user` parameter and grades the response
body. Confirmed hits get a Markdown draft with the original `xss.html`
referenced for the program reviewer to verify in their own browser.

## Setup

```bash
git clone https://github.com/cruxN3T/CVE-2025-0133
cd CVE-2025-0133
python3 -m venv .venv && source .venv/bin/activate
pip install -r requirements.txt
cp creds.env.example creds.env
$EDITOR creds.env   # add your Shodan key, optionally H1/BC tokens
```

`creds.env` is gitignored. The `.gitignore` blocks any file matching `*.env`
(except `*.env.example`), plus `data/` and `reports/` to keep target lists
and validation excerpts off the public repo.

## Usage

End-to-end:

```bash
python -m src.pipeline run
```

Or stage-by-stage:

```bash
python -m src.pipeline discover            # Shodan โ†’ data/shodan_hits.json
python -m src.pipeline scope               # match โ†’ data/in_scope.json
python -m src.pipeline validate            # canary โ†’ data/validation.json
python -m src.pipeline report              # โ†’ reports/__CVE-2025-0133.md
```

The `scope` stage works without any API keys โ€” it pulls from
`arkadiyt/bounty-targets-data`. Adding `H1_USERNAME` + `H1_API_TOKEN` to
`creds.env` and running `H1_LIVE=true python -m src.pipeline scope` augments
that with fresh data from the HackerOne Hacker API (slower; only useful if
you suspect a program brief changed today).

## Configuration

Everything lives in `creds.env`. See `creds.env.example` for the full list.
The two knobs worth knowing:

- `SCOPE_PLATFORMS` โ€” comma-separated. Defaults to `hackerone,bugcrowd`. Add
  `intigriti` and `yeswehack` if you want broader coverage.
- `TARGET_RPM` โ€” per-host requests per minute. Default 10. Don't raise this
  without a reason.

## Read these before running it

- [`docs/ETHICS.md`](docs/ETHICS.md) โ€” what scope match does and doesn't
  authorize, and what the validator deliberately does not do.
- [`docs/METHODOLOGY.md`](docs/METHODOLOGY.md) โ€” how reflection grading
  works and why each stage exists.

## Notes on this CVE specifically

- **Severity is medium, not critical.** This is reflected XSS requiring
  user interaction. CVSS 4.0 base of 5.1, up to 6.9 with Clientless VPN
  enabled. Programs accept it but expect lower payouts than RCE-class.
- **Third-party software exclusion is a real concern.** Many programs
  explicitly exclude vendor n-days from scope or redirect to vendor PSIRT.
  Read each program brief before validating, even after scope match.
- **Mass-scanning competition is real.** A public Nuclei template for
  CVE-2025-0133 exists; every hunter has been scanning since June 2025.
  Your edge is in coverage of programs others have skipped (smaller VDPs,
  recently-launched programs, regional programs) and in well-presented
  reports that triagers can confirm fast.

## What this repo is not

Not a mass-exploitation tool. Not a substitute for reading the program
brief on the platform before you submit. The scope matcher is a starting
point; the policy text is the contract.

## License

MIT. See [`LICENSE`](LICENSE).