Palo Alto Expedition migration tool jeopardizes network security
Palo Alto's Expedition is designed to simplify the migration from other firewalls. New security vulnerabilities jeopardize network security.
(Image: Bild erstellt mit KI in Bing Image Creator durch heise online / dmk)
The Expedition tool from Palo Alto Networks is used to move from other firewalls to Palo Alto devices. However, due to vulnerabilities, attackers can access important information such as access data and thus compromise networks.
In a security announcement, the Palo Alto developers now list five vulnerabilities in Expedition. The most serious is an SQL injection vulnerability that allows authenticated attackers to read content from the Expedition database, including password hashes, usernames, device configurations and API keys of devices (CVE-2025-0103, CVSS 9.2, risk"critical").
Further vulnerabilities in Expedition
The other security vulnerabilities pose a lesser threat. A reflected cross-site scripting vulnerability allows attackers to inject malicious JavaScript code into Expedition users and thus take over browser sessions (CVE-2025-0104, CVSS 7.0, high). The Palo Alto employees classify a leak through which arbitrary files can be deleted (CVE-2025-0105, CVSS 6.9, medium) as only a medium risk; an equally low risk is posed by a gap through which unauthenticated attackers can list files on the host system (CVE-2025-0106, CVSS 6.9, medium). In addition, logged-in users can inject commands that are executed as user www-data (CVE-2025-0107, CVSS 6.3, medium).
Videos by heise
In the overview table, Palo Alto only states the "temporal risk level" according to CVSS, which is always lower over time – This is at least unusual and leads readers to assume that the threat is lower than it actually is. Palo Alto's Expedition prior to the current version 1.2.101 is affected. Palo Alto points out that Expedition has reached the end of support and that no further updates or security corrections are planned. At the time of reporting, Palo Alto has no knowledge that the security vulnerabilities are already being abused.
Vulnerabilities have also been repeatedly discovered in Palo Alto's Expedition in the recent past. Most recently, these vulnerabilities were attacked in the wild in mid-November. As the tool is apparently being targeted by cyber criminals, IT managers should download and install the available update as soon as possible.
(dmk)
