Recent Palo Alto RCE

Several vulnerabilities in the Palo Alto Networks Expedition migration tool allow an attacker to access Expedition database contents and arbitrary files, as well as create and delete files on the Expedition system. These files can contain sensitive information, such as usernames, plaintext passwords, device configurations, and API keys for firewalls running PAN-OS software.

Expedition, formerly known as the Migration Tool, is a free utility that aids in migrating to the Palo Alto Networks NGFW platform from other firewall vendors and offers a temporary workspace for optimizing Palo Alto Networks security policies. It is intended solely for temporary migration tasks and should not be used in production environments. The tool is not required to operate any Palo Alto Networks products or services. Expedition reached its End of Life (EoL) on December 31, 2024, and users are advised to transition to the recommended alternatives outlined in the Expedition End of Life Announcement.

Credit

An independent security researcher working with SSD Secure Disclosure.

Vendor Response

Palo Alto has released the following advisory and fix: https://security.paloaltonetworks.com/PAN-SA-2025-0001

Affected Versions

Palo Alto Expedition version 1.2.101 and prior

The RCE

CVE-2025-0107

A vulnerability in the /API/regionsDiscovery.php endpoint allows unauthenticated attackers to trigger a call to an Apache Spark server (attacker controlled) which can then be used to cause the execution of arbitrary code.

This is done by returning a Java compiled package as the response from our (fake) Apache Spark server which is then executed by the Palo Alto Expedition server.

Official Advisory: https://security.paloaltonetworks.com/PAN-SA-2025-0001

SSD Advisory: https://ssd-disclosure.com/ssd-advisory-palo-alto-expedition-rce-regionsdiscovery/