Palo Alto Networks has issued a security advisory addressing multiple vulnerabilities in its Expedition migration tool, which could expose sensitive data and allow unauthorized actions on affected systems.
Expedition, formerly known as the Migration Tool, is a free utility designed to assist organizations in transitioning to Palo Alto Networks’ next-generation firewall (NGFW) platform. The tool facilitates policy optimization and device configuration but has reached its End of Life (EoL) as of December 31, 2024. The advisory emphasizes that Expedition is not intended for production environments and advises users to explore suggested alternatives.
The advisory identifies several vulnerabilities, some of which could enable attackers to access sensitive data such as usernames, passwords, and device configurations. The issues include:
- SQL Injection (CVE-2025-0103):
A flaw in the Expedition tool allows authenticated attackers to access database contents, including password hashes and device API keys. This vulnerability, rated 7.8 on the CVSS scale, also enables the creation and reading of arbitrary files on the system. Palo Alto Networks describes it as a high-severity risk due to the potential compromise of sensitive configuration data. - Reflected Cross-Site Scripting (XSS) (CVE-2025-0104):
This medium-severity vulnerability (CVSS 4.7) could enable attackers to execute malicious JavaScript in a user’s browser by tricking them into clicking a crafted link. This could lead to phishing attacks or session theft. - Arbitrary File Deletion (CVE-2025-0105):
An unauthenticated attacker could delete files accessible to thewww-datauser, potentially disrupting critical functions. Although rated as 2.7 on the CVSS scale, its impact could escalate in certain environments. - OS Command Injection (CVE-2025-0107):
Rated 2.3, this vulnerability allows authenticated attackers to execute arbitrary OS commands on the host, revealing cleartext passwords, usernames, and API keys for PAN-OS firewalls. - Wildcard Expansion Enumeration (CVE-2025-0106):
This flaw allows attackers to enumerate files on the host system, exposing metadata and facilitating subsequent attacks.
The vulnerabilities affect all versions of Expedition prior to 1.2.101. Other Palo Alto Networks products, such as PAN-OS, Prisma Access, and Cloud NGFWs, are unaffected.
Palo Alto Networks strongly recommends transitioning away from the Expedition tool due to its EoL status. For organizations that still use Expedition, the following measures are advised:
- Apply Updates: Upgrade to Expedition version 1.2.101 or later to address these vulnerabilities.
- Restrict Access: Ensure that only authorized users, hosts, and networks can access the tool.
- Shutdown When Idle: Disable Expedition entirely when not actively in use to minimize exposure.
No malicious exploitation of these vulnerabilities has been reported. Organizations are urged to review Palo Alto Networks’ End of Life Announcement and implement mitigations or transition plans without delay.
Related Posts:
- CISA Expands KEV Catalog with Four Actively Exploited Vulnerabilities
- CISA Flags Critical Exploits in Palo Alto Networks’ Expedition with Public PoC Code
- CVE-2024-9465 (CVSS 9.2) SQLi Flaw in Palo Alto Expedition Revealed: Full Exploit & PoC Published
- Palo Alto Networks Issues Fix for Critical Vulnerabilities, Including CVE-2024-9463 (CVSS 9.9)
- CVE-2024-9466 Flaw in Palo Alto Networks’ Expedition Exposes Sensitive Credentials to Attackers, PoC Published
