Palo Alto Networks Expedition Tool Vulnerability Exposes Cleartext Firewall Passwords

Palo Alto Networks has disclosed multiple critical security vulnerabilities in its Expedition migration tool, including a concerning OS command injection flaw that enables attackers to execute arbitrary commands and access sensitive firewall credentials.

The command injection vulnerability (CVE-2025-0107) allows authenticated attackers to run arbitrary OS commands as the www-data user, potentially exposing usernames, cleartext passwords, device configurations, and API keys for firewalls running PAN-OS software.

This vulnerability is part of a larger set of security flaws discovered in Expedition, which reached its End of Life (EoL) on December 31, 2024.

The other vulnerabilities that have already been disclosed include SQL injection (CVE-2025-0103, CVSS 7.8), reflected cross-site scripting (CVE-2025-0104, CVSS 4.7), arbitrary file deletion (CVE-2025-0105, CVSS 2.7), and wildcard expansion enumeration (CVE-2025-0106, CVSS 2.7).

Palo Alto Networks has addressed these security issues in version 1.2.100 (for CVE-2025-0103, CVE-2025-0104, and CVE-2025-0107) and version 1.2.101 (for CVE-2025-0105 and CVE-2025-0106). However, since the tool has reached its EoL status, the company does not plan to release any additional updates or security fixes.

Security researchers have noted that while there is currently no evidence of active exploitation of these new vulnerabilities, the availability of proof-of-concept exploits for similar vulnerabilities raises concerns about potential future attacks.

To mitigate these risks, Palo Alto Networks strongly recommends that organizations:

• Upgrade to Expedition version 1.2.101 or later
• Restrict network access to only authorized users, hosts, and networks
• Disable Expedition entirely when not actively in use
• Consider transitioning away from the tool due to its EoL status.

Expedition, formerly known as the Migration Tool, is a free utility designed to assist organizations in transitioning to Palo Alto Networks’ next-generation firewall (NGFW) platform from other vendors.

While these vulnerabilities do not directly affect Palo Alto Networks firewalls, Panorama appliances, Prisma Access deployments, or Cloud NGFWs, they significantly compromise the security of systems running vulnerable versions of Expedition.

Organizations using Expedition are urged to take immediate action to protect their systems and sensitive data from potential exploitation of these vulnerabilities.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The post Palo Alto Networks Expedition Tool Vulnerability Exposes Cleartext Firewall Passwords appeared first on Cyber Security News.