Cyber Resilience

CVE-2025-0105

Medium

Published: 11 January 2025

Published
11 January 2025
Modified
23 January 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Green
EPSS Score 0.0437 89.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0105 is a medium-severity External Control of File Name or Path (CWE-73) vulnerability in Paloaltonetworks Expedition. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked in the top 10.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-0105 is an arbitrary file deletion vulnerability in Palo Alto Networks Expedition that arises from improper limitation of a pathname to a restricted directory, tracked as CWE-73. The flaw permits deletion of arbitrary files on the host filesystem that are accessible to the www-data user.

An unauthenticated remote attacker can exploit the issue over the network without any privileges or user interaction to remove chosen files, resulting in limited integrity impact on the affected system.

The associated security advisory is published at https://security.paloaltonetworks.com/PAN-SA-2025-0001. The EPSS score rose from lower values after disclosure to a peak of 0.0561 on 2026-03-10 before receding to the current level of 0.0437.

EU & UK References

Vulnerability details

An arbitrary file deletion vulnerability in Palo Alto Networks Expedition enables an unauthenticated attacker to delete arbitrary files accessible to the www-data user on the host filesystem.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Arbitrary file deletion vulnerability directly enables T1070.004 (File Deletion) for indicator removal and T1485 (Data Destruction) for integrity/availability impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-0103Same product: Paloaltonetworks Expedition
CVE-2025-0107Same product: Paloaltonetworks Expedition
CVE-2020-37080Shared CWE-73
CVE-2026-23898Shared CWE-73
CVE-2025-0111Same vendor: Paloaltonetworks
CVE-2026-25605Shared CWE-73
CVE-2025-0118Same vendor: Paloaltonetworks
CVE-2025-66292Shared CWE-73
CVE-2026-3892Shared CWE-73
CVE-2020-37078Shared CWE-73

Affected Assets

paloaltonetworks
expedition
≤ 1.2.101

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the arbitrary file deletion vulnerability by validating inputs to prevent path traversal or external control of file paths as in CWE-73.

prevent

Enforces logical access controls to block unauthenticated attackers from performing unauthorized file deletion operations on the host filesystem.

prevent

Limits the impact of exploitation by restricting the www-data process to least privilege, preventing deletion of critical files outside its minimal required scope.

References