Security Fixes for Palo Alto Networks’ Expedition Tool and Related Updates

Palo Alto Networks has released updates to fix several security flaws in its Expedition migration tool. One of these issues is particularly serious, as it could allow attackers to access sensitive information.

You might be interesteed in: 7 Malware Threats Canadian Businesses Should Watch Out for in 2025

Key Security Issues in the Expedition Tool

According to Palo Alto Networks, multiple vulnerabilities in the Expedition tool could let attackers exploit its database and file system. The tool, which is used for migrating firewalls from other manufacturers to Palo Alto Networks’ platform, officially reached its end-of-life on December 31, 2024. Below are the main issues that were addressed:

1. SQL Injection Vulnerability (CVE-2025-0103)

• Severity: High (CVSS 7.8)
• What it Does: An authenticated attacker could access the Expedition database to view usernames, password hashes, device configurations, and API keys. They could also create or read files.

2. Cross-Site Scripting (XSS) Vulnerability (CVE-2025-0104)

• Severity: Medium (CVSS 4.7)
• What it Does: Allows attackers to inject malicious JavaScript into a user’s browser. This could happen if the user clicks a harmful link, potentially leading to phishing attacks or session hijacking.

3. File Deletion Vulnerability (CVE-2025-0105)

• Severity: Low (CVSS 2.7)
• What it Does: Unauthenticated attackers can delete certain files on the system accessible to the www-data user.

4. Wildcard Expansion Vulnerability (CVE-2025-0106)

• Severity: Low (CVSS 2.7)
• What it Does: Lets unauthenticated attackers list files on the system.

5. Command Injection Vulnerability (CVE-2025-0107)

• Severity: Low (CVSS 2.3)
• What it Does: Authenticated attackers could run system commands as the www-data user. This could expose sensitive data like usernames, passwords, and firewall configurations.

Fixes and Recommendations

Palo Alto Networks has resolved these vulnerabilities in the following updates:

• Version 1.2.100: Addresses CVE-2025-0103, CVE-2025-0104, and CVE-2025-0107.
• Version 1.2.101: Fixes CVE-2025-0105 and CVE-2025-0106.

As the company no longer plans to release updates for Expedition, users are advised to take these steps:

1. Restrict Access: Ensure only authorized users, networks, and hosts can access Expedition.
2. Disable the Tool: If Expedition is no longer needed, shut it down entirely to minimize risk.

SonicWall Security Patches Released

Separately, SonicWall has rolled out updates to address vulnerabilities in its SonicOS software. Two key issues were identified:

1. SSLVPN Authentication Vulnerability (CVE-2024-53704)

• Severity: High (CVSS 8.2)
• What it Does: A remote attacker could bypass the SSLVPN authentication process.

2. Privilege Escalation Vulnerability (CVE-2024-53706)

• Severity: High (CVSS 7.8)
• What it Does: On the Gen7 SonicOS Cloud platform (AWS and Azure versions), a low-privileged user could gain root access, potentially enabling code execution.

While there is no evidence these vulnerabilities have been exploited, users should apply the patches as soon as possible to stay secure.

Critical Flaw in Aviatrix Controller

A serious issue was also identified in Aviatrix Controller, a cloud networking tool. The vulnerability, tracked as CVE-2024-50603, has a maximum CVSS score of 10.0, making it highly critical.

Details of the Vulnerability

• What it Does: An unauthenticated attacker could execute arbitrary code remotely.
• Cause: The flaw stems from improper sanitization of user inputs in API endpoints.

Affected Versions and Fixes

• Versions 7.x to 7.2.4820 are impacted.
• Fixed in versions 7.1.4191 and 7.2.4996.

Cybersecurity researcher Jakub Korepta explained that this issue allowed attackers to exploit operating system commands due to poor input handling.

Final Advice

Organizations using Expedition, SonicOS, or Aviatrix Controller should prioritize applying these fixes. Restricting access to vulnerable tools and staying up to date with patches can help mitigate risks and protect sensitive systems from potential attacks.