CVE-2025-0107
Published: 11 January 2025
Summary
CVE-2025-0107 is a high-severity OS Command Injection (CWE-78) vulnerability in Paloaltonetworks Expedition. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-0107 is an OS command injection vulnerability, tracked under CWE-78, that affects Palo Alto Networks Expedition. The flaw permits an unauthenticated attacker to execute arbitrary operating system commands as the www-data user, resulting in exposure of usernames, cleartext passwords, device configurations, and PAN-OS firewall API keys.
An unauthenticated remote attacker can exploit the issue over the network without user interaction or credentials. Successful exploitation grants the ability to run commands that directly disclose sensitive credential material and configuration data from connected PAN-OS devices.
The official advisory at https://security.paloaltonetworks.com/PAN-SA-2025-0001 details available patches and mitigation steps for the affected Expedition software.
The CVE carries a CVSS 4.0 score of 7.7 and an EPSS score that has reached a peak of 0.8863 with a current value of 0.8165, indicating substantial exploitation likelihood.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1504
Vulnerability details
An OS command injection vulnerability in Palo Alto Networks Expedition enables an unauthenticated attacker to run arbitrary OS commands as the www-data user in Expedition, which results in the disclosure of usernames, cleartext passwords, device configurations, and device API keys…
more
for firewalls running PAN-OS software.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated OS command injection in a public-facing management application enables remote code execution via Unix shell.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates OS command injection (CWE-78) by requiring validation of all information inputs to prevent arbitrary command execution.
Ensures timely identification, reporting, and remediation of flaws like CVE-2025-0107 through patching as advised in PAN-SA-2025-0001.
Enforces least privilege on the www-data user account to limit the scope of damage from injected commands and prevent disclosure of sensitive data.