Palo Alto Networks has released software patches to address several security flaws in its Expedition migration tool, including a high-severity flaw that an authenticated attacker could use to gain access to sensitive data.
“Several vulnerabilities in the Palo Alto Networks Expedition migration tool could allow an attacker to read the contents of the Expedition database and arbitrary files, and to create and delete arbitrary files on the Expedition system,” the company said in a statement. said in the advisory.
“These files include information such as usernames, plaintext passwords, device configurations, and device API keys for firewalls running PAN-OS software.”
Expedition, a free tool offered by Palo Alto Networks to facilitate migration from third-party firewall vendors to its own platform, has reached end-of-life (EoL) as of December 31, 2024. The list of disadvantages is as follows –
- CVE-2025-0103 (CVSS Score: 7.8) – SQL injection vulnerability that could allow an authenticated attacker to expose the contents of the Expedition database, such as password hashes, usernames, device configurations, and device API keys, and to create and read arbitrary files
- CVE-2025-0104 (CVSS Score: 4.7) – A cross-site scripting (XSS) vulnerability that allows attackers to execute malicious JavaScript code in the context of an authenticated user’s browser when that authenticated user clicks on a malicious link that allows phishing attacks and could lead to browser-theft session
- CVE-2025-0105 (CVSS Score: 2.7) – Arbitrary file deletion vulnerability that allows an unauthenticated attacker to delete arbitrary files accessible by user www-data on the host’s file system
- CVE-2025-0106 (CVSS Score: 2.7) – Wildcard extension vulnerability allows an unauthenticated attacker to list files on the host’s file system
- CVE-2025-0107 (CVSS Score: 2.3) – Operating system (OS) command injection vulnerability that allows an authenticated attacker to execute arbitrary OS commands as the www-data user in Expedition, resulting in the disclosure of usernames, plaintext passwords, device configurations, and keys Device API for firewalls running PAN-OS software
Palo Alto Networks said the vulnerabilities were fixed in versions 1.2.100 (CVE-2025-0103, CVE-2025-0104 and CVE-2025-0107) and 1.2.101 (CVE-2025-0105 and CVE-2025-0106 ). ), and that it does not intend to release any additional updates or security fixes.
As a workaround, it is recommended to ensure that network access to Expedition is restricted to authorized users, hosts, and networks, or to close the service when not in use.
SonicWalls releases SonicOS patches
Development coincides with SonicWall patches to deliver to fix multiple flaws in SonicOS, two of which can be used to achieve authentication bypass and privilege escalation, respectively −
- CVE-2024-53704 (CVSS Score: 8.2) – Misauthentication vulnerability in the SSLVPN authentication mechanism that allows a remote attacker to bypass authentication.
- CVE-2024-53706 (CVSS Score: 7.8) – Vulnerability in the Gen7 SonicOS NSv cloud platform (AWS and Azure versions only) that allows a remote local attacker with low authentication privileges to elevate the privileges of root and potentially lead to code execution.
While there is no evidence that any of the aforementioned vulnerabilities have been exploited in the wild, it is imperative that users take steps to apply the latest patches as soon as possible.
Details about a critical flaw in the Aviatrix controller
The updates also come after Polish cybersecurity company Securing detailed a maximum severity security flaw affecting the Aviatrix controller (CVE-2024-50603, CVSS score: 10.0) that could be used to execute arbitrary code. This affects versions 7.x through 7.2.4820.
A flaw rooted in the fact that some code segments in the API endpoint did not sanitize user-supplied parameters (“list_flightpath_destination_instances” and “flightpath_connection_test”) was fixed in version 7.1.4191 or 7.2.4996.
“Due to improper neutralization of special elements used in the OS command, an unauthenticated attacker can remotely execute arbitrary code,” security researcher Jakub Karepta said.
