Multiple vulnerabilities in Palo Alto Networks’ Expedition migration tool have been discovered, potentially exposing sensitive firewall credentials, including usernames, cleartext passwords, device configurations, and API keys.
These vulnerabilities pose significant risks to organizations using the tool for firewall migration and optimization.
Expedition, formerly known as the Migration Tool, is a free utility designed to assist in migrating configurations from third-party firewalls to Palo Alto Networks’ Next-Generation Firewall (NGFW) platform.
However, it is intended only for temporary use during migrations and is not recommended for production environments. The tool reached its End of Life (EoL) on December 31, 2024.
Details Of The Vulnerabilities
The vulnerabilities, tracked under CVE identifiers CVE-2025-0103 through CVE-2025-0107, include:
CVE-2025-0103 (CVSS 7.8): An SQL injection vulnerability allows authenticated attackers to access Expedition’s database, revealing sensitive information like password hashes and device configurations. It also enables attackers to create or read arbitrary files on the system.
CVE-2025-0104 (CVSS 4.7): A reflected cross-site scripting (XSS) vulnerability could let attackers execute malicious JavaScript in an authenticated user’s browser, enabling phishing attacks or session theft.
CVE-2025-0105 (CVSS 2.7): An arbitrary file deletion vulnerability allows unauthenticated attackers to delete files accessible to the Expedition system’s “www-data” user.
CVE-2025-0106 (CVSS 2.7): A wildcard expansion vulnerability permits unauthenticated attackers to enumerate files on the system.
CVE-2025-0107 (CVSS 2.3): An OS command injection vulnerability enables authenticated attackers to execute arbitrary OS commands as the “www-data” user, exposing sensitive firewall credentials in cleartext.
These vulnerabilities do not directly affect Palo Alto Networks firewalls, Panorama appliances, Prisma Access deployments, or Cloud NGFWs. However, they significantly compromise the security of systems running vulnerable versions of Expedition.
Palo Alto Networks has released patches addressing these issues in Expedition version 1.2.101 and later. Organizations are urged to upgrade immediately and rotate all credentials processed through the tool.
Additionally, restricting network access to authorized users and shutting down unused Expedition instances are critical steps to mitigate risks.
While there is no evidence of active exploitation yet, the availability of proof-of-concept exploits for similar vulnerabilities raises concerns about potential future attacks.
Organizations relying on Expedition must act swiftly to secure their systems and prevent unauthorized access.
As Expedition has reached its EoL, users are advised to transition to alternative tools Palo Alto Networks recommends for firewall migration and policy optimization.
The discovery underscores the importance of securing temporary tools like Expedition that handle sensitive data during critical processes such as firewall migrations.
ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free