cbcvebase.
CVE-2025-0107
published 2025-01-11

CVE-2025-0107: An OS command injection vulnerability in Palo Alto Networks Expedition enables an unauthenticated attacker to run arbitrary OS commands as the www-data user in…

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
77.65%
99.5th percentile
An OS command injection vulnerability in Palo Alto Networks Expedition enables an unauthenticated attacker to run arbitrary OS commands as the www-data user in Expedition, which results in the disclosure of usernames, cleartext passwords, device configurations, and device API keys for firewalls running PAN-OS software.

Affected

5 ranges
VendorProductVersion rangeFixed in
palo_alto_networksexpedition>= 1 < 1.2.1001.2.100
paloaltopan-os
paloaltopanorama
paloaltoprisma_access
paloaltonetworksexpedition< 1.2.1011.2.101

Detection & IOCsextracted from sources · hover to see the quote

url/API/regionsDiscovery.php?master=spark%3A%2F%2F{{interactsh-url}}:443&mask=26&project=your_project&devices=device1%2Cdevice2&mtserver=127.0.0.1%3A3306&mtuser=root&mtpassword=paloalto&task-id=1193&mode=pre-analysis&regions=&parquetPath=%2Ftmp&timezone=Europe%2FHelsinki&mlserver=127.0.0.1&debug=false&initDate=2023-01-01&endDate=2023-01-31
path/API/regionsDiscovery.php
commandmaster=spark://
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Palo Alto Expedition OS Command Injection (CVE-2025-0107)"; flow:established,to_server; http.uri; content:"/API/regionsDiscovery.php|3f|"; fast_pattern; content:"master|3d|"; pcre:"/^[^\x26]*?spark(?:\x3a|\x253[aA])(?:\x2f|\x252[fF]){2}/R"; http.method; content:"GET"; reference:url,ssd-disclosure.com/ssd-advisory-palo-alto-expedition-rce-regionsdiscovery/; reference:cve,2025-0107; classtype:web-application-attack; sid:2064937; rev:1; metadata:affected_product Palo_Alto_Networks, attack_target Server, tls_state TLSDecrypt, created_at 2025_09_26, cve CVE_2025_0107, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_09_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets GET requests to /API/regionsDiscovery.php with a `master` parameter containing a spark:// URI (including URL-encoded variants %3a and %2f) — this is the OS command injection vector.
  • Nuclei template confirms successful exploitation by matching response body containing both 'msg":"Started' and '"success":true' — use these strings for response-based detection.
  • Shodan/FOFA queries can identify exposed Expedition instances: shodan-query `title:"Expedition"` and fofa-query `title=="Expedition Project"`.
  • The exploit is unauthenticated and executes commands as the www-data user; monitor for unexpected outbound DNS/network connections from the Expedition host process.
  • ET rule SID 2064937 (rev:1) provides a high-confidence network signature for this exploit; deploy on perimeter, internal, and SSLDecrypt-capable sensors.
  • ·CVE-2025-0107 is part of a cluster of five Expedition vulnerabilities (CVE-2025-0103 through CVE-2025-0107); chaining them (e.g., SQLi + OS command injection) may yield higher-impact attacks than any single CVE alone.
  • ·Expedition reached End of Life on December 31, 2024; no further patches are expected. The vendor recommends decommissioning the tool entirely rather than patching.
  • ·The vulnerability does not directly affect PAN-OS firewalls, Panorama, Prisma Access, or Cloud NGFWs — impact is limited to the Expedition host and the credentials/configs it stores.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Green
vulncheck7.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.