Security researchers published the technical details and a proof-of-concept (PoC) exploit code for CVE-2025-0107, a vulnerability in Palo Alto Networks’ Expedition migration tool that could allow remote attackers to execute arbitrary code on vulnerable systems.
The vulnerability affects Palo Alto Expedition version 1.2.101 and prior. Exploitation is possible due to a flaw in the /API/regionsDiscovery.php endpoint, which allows unauthenticated attackers to manipulate the application into connecting to a malicious Apache Spark server controlled by the attacker.
This server can then deliver a specially crafted Java package that, when returned as a response, is executed by the vulnerable Expedition server, ultimately granting the attacker the ability to run arbitrary code.
“A vulnerability in the /API/regionsDiscovery.php endpoint allows unauthenticated attackers to trigger a call to an Apache Spark server (attacker controlled) which can then be used to cause the execution of arbitrary code,” the researcher wrote.
An independent security researcher working with SSD Secure Disclosure has released technical details and proof-of-concept (PoC) exploit code for CVE-2025-0107. While this disclosure raises awareness, it also increases the risk of exploitation by malicious actors.
Palo Alto Networks had previously announced the End-of-Life (EoL) for Expedition on December 31, 2024. While the tool was intended for temporary use during migration from other firewall vendors to the Palo Alto Networks NGFW platform, organizations still relying on Expedition are now in a high risk.
“Expedition is designed to only be used temporarily for migration purposes, not to be run in production,” stated Palo Alto Networks in their EoL announcement. However, the existence of this vulnerability, coupled with the lack of further security updates, leaves any remaining users exposed to significant risk.
Related Posts:
- CISA Expands KEV Catalog with Four Actively Exploited Vulnerabilities
- CISA Flags Critical Exploits in Palo Alto Networks’ Expedition with Public PoC Code
- CVE-2024-9465 (CVSS 9.2) SQLi Flaw in Palo Alto Expedition Revealed: Full Exploit & PoC Published
- Mutiple Vulnerabilities Found in Palo Alto Networks Expedition Tool
