Major Vulnerabilities Patched in SonicWall, Palo Alto Expedition, and Aviatrix Controllers

Palo Alto Networks has released software patches to address several security flaws in its Expedition migration tool, including a high-severity bug that an authenticated attacker could exploit to access sensitive data.
"Multiple vulnerabilities in the Palo Alto Networks Expedition migration tool enable an attacker to read Expedition database contents and arbitrary files, as well as create and delete arbitrary files on the Expedition system," the company said in an advisory.
"These files include information such as usernames, cleartext passwords, device configurations, and device API keys for firewalls running PAN-OS software."
Expedition, a free tool offered by Palo Alto Networks to facilitate migration from other firewall vendors to its own platform, reached end-of-life (EoL) as of December 31, 2024. The list of flaws is as follows -
- CVE-2025-0103 (CVSS score: 7.8) - An SQL injection vulnerability that enables an authenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys, as well as create and read arbitrary files
- CVE-2025-0104 (CVSS score: 4.7) - A reflected cross-site scripting (XSS) vulnerability that enables attackers to execute malicious JavaScript code in the context of an authenticated user's browser if that authenticated user clicks a malicious link that allows phishing attacks and could lead to browser-session theft
- CVE-2025-0105 (CVSS score: 2.7) - An arbitrary file deletion vulnerability that enables an unauthenticated attacker to delete arbitrary files accessible to the www-data user on the host file system
- CVE-2025-0106 (CVSS score: 2.7) - A wildcard expansion vulnerability that allows an unauthenticated attacker to enumerate files on the host file system
- CVE-2025-0107 (CVSS score: 2.3) - An operating system (OS) command injection vulnerability that enables an authenticated attacker to run arbitrary OS commands as the www-data user in Expedition, which results in the disclosure of usernames, cleartext passwords, device configurations, and device API keys for firewalls running PAN-OS software
Palo Alto Networks said the vulnerabilities have been addressed in version 1.2.100 (CVE-2025-0103, CVE-2025-0104, and CVE-2025-0107) and 1.2.101 (CVE-2025-0105 and CVE-2025-0106), and that it does not intend to release any additional updates or security fixes.
As workarounds, it's recommended to ensure that all network access to Expedition is restricted to only authorized users, hosts, and networks, or shut down the service if it's not in use.
SonicWalls Releases SonicOS Patches
The development coincides with SonicWall shipping patches to remediate multiple flaws in SonicOS, two of which could be abused to achieve authentication bypass and privilege escalation, respectively -
- CVE-2024-53704 (CVSS score: 8.2) - An Improper Authentication vulnerability in the SSLVPN authentication mechanism that allows a remote attacker to bypass authentication.
- CVE-2024-53706 (CVSS score: 7.8) - A vulnerability in the Gen7 SonicOS Cloud platform NSv (AWS and Azure editions only) that allows a remote authenticated local low-privileged attacker to elevate privileges to root and potentially lead to code execution.
While there is no evidence that any of the aforementioned vulnerabilities have been exploited in the wild, it's essential that users take steps to apply the latest fixes as soon as possible.
Critical Flaw in Aviatrix Controller Detailed
The updates also come as Polish cybersecurity company Securing detailed a maximum severity security flaw impacting Aviatrix Controller (CVE-2024-50603, CVSS score: 10.0) that could be exploited to obtain arbitrary code execution. It affects versions 7.x through 7.2.4820.
The flaw, which is rooted in the fact that certain code segments in an API endpoint do not sanitize user-supplied parameters ("list_flightpath_destination_instances" and "flightpath_connection_test"), has been addressed in versions 7.1.4191 or 7.2.4996.
"Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to remotely execute arbitrary code," security researcher Jakub Korepta said.
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
InformationalUsername Hash Found
InformationalModern Web Application
InformationalBase64 Disclosure in WebSocket message
MediumBuffer Overflow
InformationalInformation Disclosure - Suspicious Comments
CWE-163 Improper Neutralization of Multiple Trailing Special Elements
CWE-1080 Source Code File with Excessive Number of Lines of Code
HighCWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
HighCWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-797 Only Filtering Special Elements at an Absolute Position
CWE-84 Improper Neutralization of Encoded URI Schemes in a Web Page
Free online web security scanner