Remote Code Execution Vulnerability in Palo Alto Networks Expedition Tool (CVE-2025-0107)

ISGroup Cybersecurity

CVE-2025-0107 is a critical vulnerability in the Palo Alto Networks Expedition migration tool (version 1.2.101 and earlier). The tool, widely used to support migrations to the Palo Alto Networks NGFW platform, reached its End-of-Life (EoL) on December 31, 2024. Although it was designed for temporary use, many organizations continue to rely on Expedition in production environments, increasing exposure to the risk of exploitation.

The vulnerability has attracted significant attention following the public disclosure of technical details and a proof-of-concept (PoC) exploit by a security researcher in collaboration with SSD Secure Disclosure. This disclosure raises public awareness, but also increases the risk of active exploitation by malicious actors.

ProductExpedition Project
Date2025-01-21 09:35:16
Information
  • Trending
  • Fix Available

Technical Summary

CVE-2025-0107 is a remote code execution vulnerability caused by inadequate validation in the /API/regionsDiscovery.php endpoint. This flaw allows unauthenticated attackers to manipulate the Expedition application into connecting to an attacker-controlled Apache Spark server. The malicious server can provide a specially crafted Java package as a response, which is then executed by the vulnerable Expedition server without proper verification.

If exploited, this vulnerability allows the attacker to execute arbitrary code on the Expedition server. The issue stems from insufficient security measures in handling external connections and processing Java packages. The availability of PoC exploit code significantly increases the likelihood of exploitation.

Recommendations

  1. Decommission Expedition: Accelerate the removal of Expedition from all environments, as it has reached EoL and no longer receives security updates.
  2. Restrict Access: Immediately isolate any remaining Expedition systems by limiting network access and blocking external communications.
  3. Switch to Supported Tools: Use supported migration tools or alternatives recommended by Palo Alto Networks.
  4. Update Policies: Implement a clear deprecation policy for EoL software to prevent the continued use of unsupported tools in production environments.

[Callforaction-THREAT-Footer]