Cyber Resilience

CVE-2025-0107

High

Published: 11 January 2025

Published
11 January 2025
Modified
23 January 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Green
EPSS Score 0.8165 99.2th percentile
Risk Priority 64 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0107 is a high-severity OS Command Injection (CWE-78) vulnerability in Paloaltonetworks Expedition. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-0107 is an OS command injection vulnerability, tracked under CWE-78, that affects Palo Alto Networks Expedition. The flaw permits an unauthenticated attacker to execute arbitrary operating system commands as the www-data user, resulting in exposure of usernames, cleartext passwords, device configurations, and PAN-OS firewall API keys.

An unauthenticated remote attacker can exploit the issue over the network without user interaction or credentials. Successful exploitation grants the ability to run commands that directly disclose sensitive credential material and configuration data from connected PAN-OS devices.

The official advisory at https://security.paloaltonetworks.com/PAN-SA-2025-0001 details available patches and mitigation steps for the affected Expedition software.

The CVE carries a CVSS 4.0 score of 7.7 and an EPSS score that has reached a peak of 0.8863 with a current value of 0.8165, indicating substantial exploitation likelihood.

EU & UK References

Vulnerability details

An OS command injection vulnerability in Palo Alto Networks Expedition enables an unauthenticated attacker to run arbitrary OS commands as the www-data user in Expedition, which results in the disclosure of usernames, cleartext passwords, device configurations, and device API keys…

more

for firewalls running PAN-OS software.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Direct unauthenticated OS command injection in a public-facing management application enables remote code execution via Unix shell.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-0103Same product: Paloaltonetworks Expedition
CVE-2025-0105Same product: Paloaltonetworks Expedition
CVE-2026-42454Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2025-50475Shared CWE-78
CVE-2024-57015Shared CWE-78
CVE-2026-36828Shared CWE-78
CVE-2024-57595Shared CWE-78
CVE-2026-25196Shared CWE-78

Affected Assets

paloaltonetworks
expedition
≤ 1.2.101

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates OS command injection (CWE-78) by requiring validation of all information inputs to prevent arbitrary command execution.

prevent

Ensures timely identification, reporting, and remediation of flaws like CVE-2025-0107 through patching as advised in PAN-SA-2025-0001.

prevent

Enforces least privilege on the www-data user account to limit the scope of damage from injected commands and prevent disclosure of sensitive data.

References