CVE-2025-0105
Published: 11 January 2025
Summary
CVE-2025-0105 is a medium-severity External Control of File Name or Path (CWE-73) vulnerability in Paloaltonetworks Expedition. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked in the top 10.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-0105 is an arbitrary file deletion vulnerability in Palo Alto Networks Expedition that arises from improper limitation of a pathname to a restricted directory, tracked as CWE-73. The flaw permits deletion of arbitrary files on the host filesystem that are accessible to the www-data user.
An unauthenticated remote attacker can exploit the issue over the network without any privileges or user interaction to remove chosen files, resulting in limited integrity impact on the affected system.
The associated security advisory is published at https://security.paloaltonetworks.com/PAN-SA-2025-0001. The EPSS score rose from lower values after disclosure to a peak of 0.0561 on 2026-03-10 before receding to the current level of 0.0437.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1502
Vulnerability details
An arbitrary file deletion vulnerability in Palo Alto Networks Expedition enables an unauthenticated attacker to delete arbitrary files accessible to the www-data user on the host filesystem.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file deletion vulnerability directly enables T1070.004 (File Deletion) for indicator removal and T1485 (Data Destruction) for integrity/availability impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the arbitrary file deletion vulnerability by validating inputs to prevent path traversal or external control of file paths as in CWE-73.
Enforces logical access controls to block unauthenticated attackers from performing unauthorized file deletion operations on the host filesystem.
Limits the impact of exploitation by restricting the www-data process to least privilege, preventing deletion of critical files outside its minimal required scope.