Full Report
Palo Alto Networks has released software patches to address several security flaws in its Expedition migration tool, including a high-severity bug that an authenticated attacker could exploit to access sensitive data. "Multiple vulnerabilities in the Palo Alto Networks Expedition migration tool enable an attacker to read Expedition database contents and arbitrary files, as well as create and
Analysis Summary
# Vulnerability: Multiple Flaws in Palo Alto Networks Expedition Migration Tool (CVE-2025-0103 to CVE-2025-0107)
## CVE Details
- CVE ID: CVE-2025-0103, CVE-2025-0104, CVE-2025-0105, CVE-2025-0106, CVE-2025-0107
- CVSS Score: 7.8 (High) for CVE-2025-0103, 4.7 (Medium) for CVE-2025-0104, 2.7 (Low) for CVE-2025-0105, 2.7 (Low) for CVE-2025-0106, 2.3 (Low) for CVE-2025-0107
- CWE: SQL Injection (CVE-2025-0103), Cross-Site Scripting (CVE-2025-0104), Arbitrary File Deletion (CVE-2025-0105), Wildcard Expansion Flaw (CVE-2025-0106), OS Command Injection (CVE-2025-0107)
## Affected Systems
- Products: Palo Alto Networks Expedition migration tool
- Versions: All versions prior to the patched releases. Note: Expedition reached End-of-Life (EoL) as of December 31, 2024.
- Configurations: N/A
## Vulnerability Description
Multiple vulnerabilities exist within the Expedition migration tool that allow attackers to read and manipulate data and files on the Expedition system. The flaws permit an authenticated attacker to read sensitive database contents (including usernames, cleartext passwords, device configurations, and API keys) via SQL Injection (CVE-2025-0103) or OS Command Injection (CVE-2025-0107). Unauthenticated flaws allow file deletion (CVE-2025-0105) or file enumeration (CVE-2025-0106). A critical flaw (CVE-2025-0104, XSS) allows authenticated sessions to be compromised via malicious links.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but the high-severity flaws are exploitable by authenticated users.
- Complexity: Low to Medium (depending on the specific CVE, with some requiring authentication).
- Attack Vector: Primarily Network (authenticated/unauthenticated via the tool interface).
## Impact
- Confidentiality: High (Exposure of usernames, cleartext passwords, device configurations, and API keys).
- Integrity: High (Ability to create and delete arbitrary files, depending on privileges).
- Availability: Low (Potential impact on the tool's service if files are deleted).
## Remediation
### Patches
Palo Alto Networks has released final patches for the End-of-Life tool:
- **Version 1.2.100:** Addresses CVE-2025-0103, CVE-2025-0104, and CVE-2025-0107.
- **Version 1.2.101:** Addresses CVE-2025-0105 and CVE-2025-0106.
### Workarounds
1. Restrict all network access to the Expedition tool to only authorized users, hosts, and networks.
2. If the tool is not in use, shut down the Expedition service entirely.
## Detection
- Detection details were not provided in the context. Focus on monitoring network traffic to the Expedition server for unusual commands or SQL-like query parameters.
## References
- Vendor Advisory: security dot paloaltonetworks dot com/PAN-SA-2025-0001