CVE-2025-0103

High

Published: 11 January 2025

Published

11 January 2025

Modified

23 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0046 63.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0103 is a high-severity SQL Injection (CWE-89) vulnerability in Paloaltonetworks Expedition. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection attacks like CVE-2025-0103 by validating and sanitizing all inputs to inhibit malicious code execution in database queries.

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and correction of flaws such as the SQL injection vulnerability in Palo Alto Networks Expedition via timely patching.

AU-13 Monitoring for Information Disclosure partial match

detect

Monitors for unauthorized disclosure of sensitive database contents, including password hashes and API keys, enabled by this SQL injection vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

Why these techniques?

SQL injection directly enables exploitation of the public-facing management app (T1190), extraction of DB contents like hashes/keys (T1213.006 and T1552.001), and arbitrary file read (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An SQL injection vulnerability in Palo Alto Networks Expedition enables an authenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. This vulnerability also enables attackers to create and read arbitrary files…

on the Expedition system.

Deeper analysisAI

CVE-2025-0103 is an SQL injection vulnerability (CWE-89) in Palo Alto Networks Expedition. Published on 2025-01-11, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and affects the Expedition management tool.

An authenticated attacker with network access and low-privilege user rights can exploit this vulnerability to reveal sensitive Expedition database contents, including password hashes, usernames, device configurations, and device API keys. The flaw also allows attackers to create and read arbitrary files on the Expedition system, potentially leading to full compromise.

The Palo Alto Networks security advisory PAN-SA-2025-0001 at https://security.paloaltonetworks.com/PAN-SA-2025-0001 provides details on mitigation and patching.