How a Security Researcher Received an Appreciation Letter from NASA for Identifying a CVE

January 1, 2026 • 4 min read

A real-world bug hunting case study explaining how a reflected XSS vulnerability (CVE-2025-0133) in PAN-OS GlobalProtect was identified on a NASA system and responsibly disclosed, resulting in an official appreciation letter.

Disclaimer

This article is published strictly for educational and defensive security awareness purposes.
All sensitive assets, domains, and identifiers are redacted.
No exploitation beyond safe proof-of-concept testing was performed, and all findings were disclosed through an authorized vulnerability disclosure program.
Never test systems without explicit permission.

Introduction

Bug hunting is rarely predictable.

Sometimes vulnerabilities surface within minutes. Other times, days of effort lead nowhere. And occasionally, a single late-night attempt uncovers a vulnerability on a high-profile system—turning persistence into recognition.

This write-up documents how a security researcher identified a real-world vulnerability, CVE-2025–0133, affecting a critical VPN component used by a NASA-operated system, and how responsible disclosure ultimately resulted in an official Appreciation Letter from NASA.

This is not a story of luck or automation—it is a case study in knowledge reuse, persistence, and contextual understanding of vulnerabilities.

About CVE-2025–0133

Vulnerability Type: Reflected Cross-Site Scripting (XSS)
Affected Product: Palo Alto Networks PAN-OS GlobalProtect
Severity: Medium

What the Vulnerability Allows

CVE-2025–0133 exists due to improper sanitization of user-controlled input in a GlobalProtect endpoint. An attacker can craft a malicious URL that, when accessed by an authenticated user, results in JavaScript execution in the browser.

Potential impact includes:

Credential theft via phishing
Session compromise in clientless VPN portals
Abuse of trust in authentication infrastructure
Targeted social engineering attacks

Although classified as reflected XSS, the deployment context—enterprise VPN and captive portals—significantly increases its real-world risk.

A professional technical diagram illustrating the reflected XSS attack flow. It shows an attacker sending a malicious link to a victim, the victim's browser requesting the VPN login portal with the payload, and the portal reflecting the payload back to execute in the browser.

The Late-Night Context

After repeated unsuccessful attempts on the same program—mostly duplicates and informational reports—the researcher revisited a known CVE they had previously studied in depth.

Rather than searching blindly, the approach shifted to leveraging existing vulnerability knowledge and applying it to fresh targets.

This change in strategy became the turning point.

A realistic photograph of a focused cybersecurity researcher working late at night, sitting on a bed with a laptop sitting on their lap and headphones on, illuminated only by the screen in a dimly lit room.

Reconnaissance Using Shodan

The researcher began with broad reconnaissance using Shodan to identify exposed PAN-OS systems.

Base Query

cpe:"cpe:2.3:o:paloaltonetworks:pan-os"

This returned a large number of publicly accessible PAN-OS instances.

Narrowing Scope to NASA

cpe:"cpe:2.3:o:paloaltonetworks:pan-os" hostname:"nasa.gov"

This refined query produced 11 results—a manageable scope for targeted validation.

Several hosts were tested without success. Near the end of the list, one host exposed a familiar GlobalProtect login interface.

Identifying the Vulnerable Endpoint

The following GlobalProtect endpoint is known to be affected in vulnerable PAN-OS versions:

/ssl-vpn/getconfig.esp

This endpoint processes multiple user-supplied parameters, making it a common target for reflected XSS testing.

Payload Construction

The researcher crafted a payload injecting a harmless JavaScript prompt via an SVG-based XSS vector:

/ssl-vpn/getconfig.esp?client-type=1&protocol-version=p1&app-version=3.0.1-10&clientos=Linux&os-version=linux-64&hmac-algo=sha1%2Cmd5&enc-algo=aes-128-cbc%2Caes-256-cbc&authcookie=12cea70227d3aafbf25082fac1b6f51d&portal=us-vpn-gw-N&user=%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Cscript%3Eprompt%28%22CyberTechAjju%22%29%3C%2Fscript%3E%3C%2Fsvg%3E&domain=%28empty_domain%29&computer=computer

Proof of Concept Execution

When tested against the identified host, the payload resulted in JavaScript execution via a browser prompt—confirming the reflected XSS condition.

This demonstrated:

User input was reflected without proper encoding
The vulnerability was exploitable in a live environment
The system was running an affected PAN-OS version

A screenshot showing the successful execution of a reflected Cross-Site Scripting (XSS) payload on the target web application, displaying a browser alert box confirming the vulnerability.

Validation on the Canonical Domain

To ensure accuracy and avoid false positives, the researcher repeated the test on the canonical NASA VPN domain (redacted).

The same payload produced the same result—confirming the vulnerability was not IP-specific but affected the actual production hostname.

Responsible Disclosure

The vulnerability was immediately reported through the official Bugcrowd Vulnerability Disclosure Program, including:

Clear reproduction steps
Impact explanation
Sanitized proof-of-concept
Reference to CVE-2025–0133

No sensitive data was accessed, modified, or exfiltrated during testing.

Outcome: NASA Appreciation Letter

Following triage and validation, the organization acknowledged the finding.

The final response included an official Appreciation Letter from NASA, recognizing the researcher’s contribution to improving security posture.

While no monetary reward was issued, the recognition itself became a career milestone—highlighting the value of responsible disclosure even in non-bounty programs.