Palo Alto Networks has released software patches to address several security flaws in its Expedition migration tool, including a high-severity bug that an authenticated attacker could exploit to access sensitive data.
“Multiple vulnerabilities in the Palo Alto Networks Expedition migration tool enable an attacker to read Expedition database contents and arbitrary files, as well as create and delete arbitrary files on the Expedition system,” the company said in an advisory.
“These files include information such as usernames, cleartext passwords, device configurations, and device API keys for firewalls running PAN-OS software.”
Expedition, a free tool offered by Palo Alto Networks to facilitate migration from other firewall vendors to its own platform, reached end-of-life (EoL) as of December 31, 2024. The list of flaws is as follows –
Palo Alto Networks said the vulnerabilities have been addressed in version 1.2.100 (CVE-2025-0103, CVE-2025-0104, and CVE-2025-0107) and 1.2.101 (CVE-2025-0105 and CVE-2025-0106), and that it does not intend to release any additional updates or security fixes.
As workarounds, it’s recommended to ensure that all network access to Expedition is restricted to only authorized users, hosts, and networks, or shut down the service if it’s not in use.
The development coincides with SonicWall shipping patches to remediate multiple flaws in SonicOS, two of which could be abused to achieve authentication bypass and privilege escalation, respectively –
While there is no evidence that any of the aforementioned vulnerabilities have been exploited in the wild, it’s essential that users take steps to apply the latest fixes as soon as possible.
The updates also come as Polish cybersecurity company Securing detailed a maximum severity security flaw impacting Aviatrix Controller (CVE-2024-50603, CVSS score: 10.0) that could be exploited to obtain arbitrary code execution. It affects versions 7.x through 7.2.4820.
The flaw, which is rooted in the fact that certain code segments in an API endpoint do not sanitize user-supplied parameters (“list_flightpath_destination_instances” and “flightpath_connection_test”), has been addressed in versions 7.1.4191 or 7.2.4996.
“Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to remotely execute arbitrary code,” security researcher Jakub Korepta said.
