Palo Alto Networks has issued a security advisory detailing multiple vulnerabilities in its Expedition Migration Tool, a free utility designed to assist organizations in transitioning to Palo Alto Networks’ Next-Generation Firewall (NGFW) platform. The tool, which facilitates policy optimization and device configuration, has officially reached its End of Life (EoL) as of December 31, 2024, and is no longer supported for production environments.
The identified vulnerabilities could allow attackers to access sensitive data, including usernames, passwords, and device configurations, and execute unauthorized actions on affected systems. While no exploitation has been reported, organizations still using Expedition are strongly urged to apply updates or transition to alternative solutions.
Vulnerabilities Identified
- SQL Injection (CVE-2025-0103)
- Description: Authenticated attackers can exploit a SQL injection flaw to access sensitive database contents, including password hashes and API keys. Additionally, this vulnerability allows the creation and reading of arbitrary files on the system.
- Severity: High (CVSS 7.8).
- Potential Impact: Unauthorized access to sensitive configuration data, compromising firewall security.
- Reflected Cross-Site Scripting (XSS) (CVE-2025-0104)
- Description: Attackers can trick users into clicking a malicious link, executing arbitrary JavaScript in the victim’s browser.
- Severity: Medium (CVSS 4.7).
- Potential Impact: Phishing attacks or session theft, compromising user credentials.
- Arbitrary File Deletion (CVE-2025-0105)
- Description: An unauthenticated attacker could delete files accessible to the www-data user, potentially disrupting critical functions.
- Severity: Low (CVSS 2.7).
- Potential Impact: Disruption of critical system functions, escalating risks in specific environments.
- OS Command Injection (CVE-2025-0107)
- Description: Allows authenticated attackers to execute arbitrary OS commands, exposing cleartext credentials, usernames, and API keys.
- Severity: Low (CVSS 2.3).
- Potential Impact: Compromise of sensitive configuration data for PAN-OS firewalls.
- Wildcard Expansion Enumeration (CVE-2025-0106)
- Description: Enables attackers to enumerate files on the host system, exposing metadata that could aid subsequent attacks.
- Severity: Low (CVSS 2.3).
- Potential Impact: Metadata leakage facilitating further exploitation.
Affected Versions
All versions of Expedition prior to 1.2.101 are affected.
Note: Other Palo Alto Networks products, such as PAN-OS, Prisma Access, and Cloud NGFWs, are unaffected by these vulnerabilities.
Mitigation Measures
Palo Alto Networks recommends the following steps for organizations still using the Expedition tool:
- Apply Updates:
- Upgrade to Expedition version 1.2.101 or later to remediate these vulnerabilities.
- Restrict Access:
- Limit access to authorized users, hosts, and networks only.
- Disable When Not in Use:
- Shut down the Expedition tool entirely when not actively in use to reduce the attack surface.
- Transition to Alternatives:
- Explore alternative tools or solutions suggested in Palo Alto Networks’ End of Life Announcement.
Impact Analysis
The vulnerabilities in the Expedition tool present varying levels of risk. While no active exploitation has been reported, the potential compromise of sensitive data, particularly through CVE-2025-0103 (SQL Injection), poses a significant threat to organizations still relying on this tool. The EoL status of Expedition further underscores the urgency of transitioning to supported solutions.
Recommendations
Organizations using Expedition should prioritize the following actions:
- Immediate Update: Upgrade to the latest version to mitigate known vulnerabilities.
- Access Management: Restrict and monitor access to the tool.
- Long-Term Strategy: Transition to supported solutions to ensure security and compliance with Palo Alto Networks’ guidelines.
References
- Palo Alto Networks Security Advisory
- Palo Alto Networks End of Life Announcement for Expedition
