CVE-2025-0105
📋 TL;DR
CVE-2025-0105 is an arbitrary file deletion vulnerability in Palo Alto Networks Expedition that allows unauthenticated attackers to delete files accessible to the www-data user on the host filesystem. This affects organizations using Expedition for migration and management of Palo Alto Networks firewalls. The vulnerability enables attackers to potentially disrupt services or achieve further compromise.
💻 Affected Systems
- Palo Alto Networks Expedition
📦 What is this software?
Expedition by Paloaltonetworks
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, service disruption, or deletion of configuration files enabling lateral movement.
Likely Case
Service disruption by deleting application files, logs, or configuration data, potentially leading to denial of service or operational impact.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthenticated access to Expedition interfaces.
🎯 Exploit Status
Unauthenticated access makes exploitation straightforward; specific exploit details not publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check PAN-SA-2025-0001 for specific fixed versions
Vendor Advisory: https://security.paloaltonetworks.com/PAN-SA-2025-0001
Restart Required: Yes
Instructions:
1. Review PAN-SA-2025-0001 advisory. 2. Download and apply the latest Expedition patch from Palo Alto Networks support portal. 3. Restart Expedition services. 4. Verify patch application.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to Expedition management interface to trusted IP addresses only.
# Configure firewall rules to allow only trusted IPs to Expedition port (default 8443)
sudo iptables -A INPUT -p tcp --dport 8443 -s TRUSTED_IP -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8443 -j DROP
Service Isolation
linuxRun Expedition in a container or isolated environment with limited filesystem access.
# Example Docker run command with limited volume mounts
docker run -d --name expedition -p 8443:8443 -v /opt/expedition/config:/app/config paloaltonetworks/expedition
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to block all external access to Expedition management interface.
- Monitor filesystem changes and implement file integrity monitoring (FIM) to detect unauthorized file deletions.
🔍 How to Verify
Check if Vulnerable:
Check Expedition version against affected versions listed in PAN-SA-2025-0001; if accessible without authentication and running vulnerable version, assume vulnerable.Check Version:
Check Expedition web interface login page or application logs for version information; specific command varies by deployment.Verify Fix Applied:
Verify Expedition version is updated to patched version per PAN-SA-2025-0001 and test that unauthenticated file deletion attempts are blocked.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access attempts to Expedition API endpoints
- Unexpected file deletion events in system logs
- www-data user performing file operations outside normal scope
Network Indicators:
- Unusual outbound connections from Expedition host
- Traffic to Expedition port (default 8443) from untrusted sources
SIEM Query:
source="expedition.log" AND (http_status=401 OR http_status=403) AND uri_path CONTAINS "/api/" AND user_agent NOT IN expected_agents