FlagThis - #PaloAlto

Multiple vulnerabilities have been discovered in Palo Alto Networks' Expedition migration tool, posing significant security risks. These flaws could allow attackers to gain unauthorized access to sensitive data such as usernames, cleartext passwords, device configurations, and API keys associated with firewalls running PAN-OS software. An OS command injection vulnerability, identified as CVE-2025-0107, allows authenticated attackers to execute arbitrary OS commands, potentially leading to data breaches and system compromise. Other vulnerabilities include SQL injection (CVE-2025-0103), reflected cross-site scripting (CVE-2025-0104), arbitrary file deletion (CVE-2025-0105) and a wildcard expansion enumeration (CVE-2025-0106).

The Expedition tool, intended for firewall migration and optimization, reached its End of Life (EoL) on December 31, 2024, and is no longer supported or updated. Organizations are strongly advised to transition away from using Expedition and to explore alternative migration tools. While Palo Alto Networks has released patches in versions 1.2.100 and 1.2.101, no further updates are planned for the tool. Until users can migrate, it is recommended to restrict network access to Expedition to only authorized users, hosts, and networks, or to shut down the service if it's not in use.


References :

• gbhackers.com: Palo Alto Networks Expedition Tool Vulnerability Let Attackers Access Cleartext Passwords
• : Palo Alto Networks security advisories 08 January 2025: Expedition: Multiple Vulnerabilities in Expedition Migration Tool Lead to Exposure of Firewall Credentials
• securityonline.info: CISA Alerts on Actively Exploited Vulnerabilities in Mitel MiCollab and Oracle WebLogic Server
• ciso2ciso.com: Mitel 0-day, 5-year-old Oracle RCE bug under active exploit – Source: go.theregister.com
• The Hacker News: CISA Flags Critical Flaws in Mitel and Oracle Systems Amid Active Exploitation
• Latest from TechRadar: CISA says Oracle and Mitel have critical security flaws being exploited
• ciso2ciso.com: Mitel 0-day, 5-year-old Oracle RCE bug under active exploit – Source: go.theregister.com
• gbhackers.com: Palo Alto Networks Expedition Tool Vulnerability Let Attackers Access Cleartext Passwords
• securityonline.info: Mutiple Vulnerabilities Found in Palo Alto Networks Expedition Tool
• socca.tech: CVE-2025-0107: (Palo Alto Networks Expedition: Medium)
• Security Risk Advisors: Multiple Vulnerabilities in Palo Alto Networks Expedition Tool Allow Exposure of Firewall Credentials

Classification:

• HashTags: #PaloAltoNetworks #ExpeditionTool #Vulnerability
• Company: Palo Alto Networks
• Target: Palo Alto Networks Users
• Product: Expedition
• Feature: OS Command Injection
• Type: Vulnerability
• Severity: Major

Critical vulnerabilities have been discovered in Palo Alto Networks firewall devices, potentially allowing attackers to bypass Secure Boot protections and exploit firmware-level flaws. Security firm Eclypsium evaluated three Palo Alto Network appliances, including the PA-3260, PA-1410, and PA-415, uncovering a range of well-known vulnerabilities collectively named "PANdora's Box". These flaws include "Boothole," a buffer overflow vulnerability leading to remote code execution, secure boot bypass issues, and vulnerabilities like LogoFail and PixieFail. These issues could allow attackers to gain elevated privileges, maintain persistence, and completely compromise firewall devices.

The identified vulnerabilities include seven CVEs, and additionally insecure flash access controls and leaked keys which compromise the integrity of the boot process. These flaws, ranging from boot process exploits to vulnerabilities within InsydeH2O UEFI firmware, could lead to privilege escalation, malicious code execution during startup, and information disclosure. Palo Alto Networks is aware of these claims and is working with third party vendors to develop firmware updates, although they state that the vulnerabilities are not exploitable under normal conditions with up-to-date and secured management interfaces, and do not affect PAN-OS CN-Series, PAN-OS VM-Series, Cloud NGFW and Prisma Access.


References :

• eclypsium.com: Eclysium evaluated three Palo Alto Networks appliances, finding known vulnerabilities ranging from "Boothole" (buffer overflow to RCE) and secure boot bypass to LogoFail, PixieFail, leaked keys bypass, etc.
• security.paloaltonetworks.com: Palo Alto Networks Addresses Impact of BIOS, Bootloader Vulnerabilities on Its Firewalls
• The Hacker News: Palo Alto firewalls found vulnerable to secure boot bypass and firmware exploits
• : Palo Alto Networks See parent toot above. Palo Alto Networks is in damage control mode, after Eclypsium reported that their Next Generation Firewall (NGFW) products were still impacted by multiple known vulnerabilities. Palo Alto Networks is aware of claims of multiple vulnerabilities in hardware device firmware and bootloaders included in our PA-Series (hardware) firewalls. Palo Alto Networks is not aware of any malicious exploitation of these issues in our products. We are aware of a blog post discussing these issues.
• Pyrzout :vm:: Palo Alto Networks Addresses Impact of BIOS, Bootloader Vulnerabilities on Its Firewalls – Source: www.securityweek.com
• Patrick C Miller :donor:: Palo Alto Networks Addresses Impact of BIOS, Bootloader Vulnerabilities on Its Firewalls - SecurityWeek
• ciso2ciso.com: Palo Alto Networks Addresses Impact of BIOS, Bootloader Vulnerabilities on Its Firewalls – Source: www.securityweek.com

Classification:

• HashTags: #PaloAlto #Firewall #SecureBoot
• Company: Palo Alto Networks
• Target: Palo Alto Firewall Users
• Product: Palo Alto Firewalls
• Feature: Secure Boot Bypass
• Type: Vulnerability
• Severity: Major