Palo Alto Networks on Wednesday announced patches for multiple vulnerabilities in the Expedition migration tool, including a high-severity bug leading to sensitive information disclosure.

A free tool previously known as the Migration Tool, Expedition allows organizations to migrate from other firewall vendors to the Palo Alto Networks NGFW platform. Designed as a temporary migration solution that should not be used in production, Expedition was retired on December 31, 2024.

Tracked as CVE-2025-0103 (CVSS score of 7.8), the high-severity issue is described as an SQL injection flaw that could allow authenticated attackers to read database contents and arbitrary files.

It could also be exploited to “create and delete arbitrary files on the Expedition system. These files include information such as usernames, cleartext passwords, device configurations, and device API keys for firewalls running PAN-OS software,” Palo Alto Networks explains.

The security defect was resolved in Expedition version 1.2.101, which also patches four medium- and low-severity issues leading to JavaScript code execution, arbitrary file deletion, file enumeration, and information disclosure.

To mitigate these issues, customers should “ensure that all network access to Expedition is restricted to only authorized users, hosts, and networks,” and should shut down the Expedition software if not actively using it.

Palo Alto Networks also warns that Expedition will receive no additional updates or security fixes and urges customers to find alternative solutions.

“We are currently in the process of transferring the core functionalities of the tool into new products. […] Starting from January 2025, Palo Alto Networks will no longer support the Expedition tool, including all versions of both Expedition1 and Expedition2 branches,” the company says.

On Wednesday, Palo Alto Networks also announced that it has updated its Prisma Access Browser to include patches for six Chromium vulnerabilities.

Google rolled out two Chrome 131 updates in December to patch these bugs, which include two high-severity type confusion flaws in the V8 JavaScript engine that could be exploited for remote code execution (RCE), and which earned the reporting researchers $55,000 each.

Palo Alto Networks makes no mention of any of these vulnerabilities being exploited in the wild. Additional information can be found on the company’s security advisories page.

In November 2024, the US cybersecurity agency CISA warned that three critical-severity vulnerabilities in Expedition, patched in July and October, had been exploited in attacks.

Related: Chrome 131 Update Patches High-Severity Memory Safety Bugs

Related: Palo Alto Networks Patches Critical Firewall Takeover Vulnerabilities

Related: Palo Alto Networks Unveils New Firewalls, IoT Security Solution

Related: OpenSSL Ships ‘High Severity’ Security Patch