Palo Alto Networks has released software patches to address several security flaws in its Expedition migration tool, including a high-severity bug that an authenticated attacker could exploit to access sensitive data.
“Multiple vulnerabilities in the Palo Alto Networks Expedition migration tool enable an attacker to read Expedition database contents and arbitrary files, as well as create and delete arbitrary files on the Expedition system,” the company said in an advisory.
“These files include information such as usernames, cleartext passwords, device configurations, and device API keys for firewalls running PAN-OS software.”
Expedition, a free tool offered by Palo Alto Networks to facilitate migration from other firewall vendors to its own platform, reached end-of-life (EoL) as of December 31, 2024. The list of flaws is as follows –
- CVE-2025-0103 (CVSS score: 7.8) – An SQL injection vulnerability that enables an authenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys, as well as create and read arbitrary files
- CVE-2025-0104 (CVSS score: 4.7) – A reflected cross-site scripting (XSS) vulnerability that enables attackers to execute malicious JavaScript code in the context of an authenticated user’s browser if that authenticated user clicks a malicious link that allows phishing attacks and could lead to browser-session theft
- CVE-2025-0105 (CVSS score: 2.7) – An arbitrary file deletion vulnerability that enables an unauthenticated attacker to delete arbitrary files accessible to the www-data user on the host file system
- CVE-2025-0106 (CVSS score: 2.7) – A wildcard expansion vulnerability that allows an unauthenticated attacker to enumerate files on the host file system
- CVE-2025-0107 (CVSS score: 2.3) – An operating system (OS) command injection vulnerability that enables an authenticated attacker to run arbitrary OS commands as the www-data user in Expedition, which results in the disclosure of usernames, cleartext passwords, device configurations, and device API keys for firewalls running PAN-OS software
Palo Alto Networks said the vulnerabilities have been addressed in version 1.2.100 (CVE-2025-0103, CVE-2025-0104, and CVE-2025-0107) and 1.2.101 (CVE-2025-0105 and CVE-2025-0106), and that it does not intend to release any additional updates or security fixes.
As workarounds, it’s recommended to ensure that all network access to Expedition is restricted to only authorized users, hosts, and networks, or shut down the service if it’s not in use.
SonicWalls Releases SonicOS Patches
The development coincides with SonicWall shipping patches to remediate multiple flaws in SonicOS, two of which could be abused to achieve authentication bypass and privilege escalation, respectively –
- CVE-2024-53704 (CVSS score: 8.2) – An Improper Authentication vulnerability in the SSLVPN authentication mechanism that allows a remote attacker to bypass authentication.
- CVE-2024-53706 (CVSS score: 7.8) – A vulnerability in the Gen7 SonicOS Cloud platform NSv (AWS and Azure editions only) that allows a remote authenticated local low-privileged attacker to elevate privileges to root and potentially lead to code execution.
While there is no evidence that any of the aforementioned vulnerabilities have been exploited in the wild, it’s essential that users take steps to apply the latest fixes as soon as possible.
Critical Flaw in Aviatrix Controller Detailed
The updates also come as Polish cybersecurity company Securing detailed a maximum severity security flaw impacting Aviatrix Controller (CVE-2024-50603, CVSS score: 10.0) that could be exploited to obtain arbitrary code execution. It affects versions 7.x through 7.2.4820.
The flaw, which is rooted in the fact that certain code segments in an API endpoint do not sanitize user-supplied parameters (“list_flightpath_destination_instances” and “flightpath_connection_test”), has been addressed in versions 7.1.4191 or 7.2.4996.
“Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to remotely execute arbitrary code,” security researcher Jakub Korepta said.
