Palo Alto Networks Security Advisories / PAN-SA-2024-0006

PAN-SA-2024-0006 Informational Bulletin: Expedition Installation Script Resets Root Password



A hardcoded password in the Palo Alto Networks Expedition VM installation script may allow remote attackers to elevate their privileges to root access on Expedition VMs that are running Expedition, if not changed as per the installation instructions.

The updated version of the script no longer resets the password, eliminating the need to manually change the password after installation.

Additional information can be found in the Expedition installation guide and hardening guide, which recommend both changing the root password and using key-based SSH authentication:

Product Status

Expedition initSetup_v2.0< commit date 20240605>= commit date 20240605

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-798 Use of Hard-coded Credentials


The password is no longer reset in the Expedition initSetup_v2.0 script with a commit date 20240605, and all later Expedition VM script versions. The commit date of the initSetup_v2 script ( can be found at the top of the script as a comment.

If you installed Expedition before June 5, 2024 and did not change the root password after the installation concluded, you should verify the root password is what you expect.

Workarounds and Mitigations

This issue requires the remote attacker to know the password of the root account used in the Expedition VM. You can mitigate this issue by changing the default password of the Expedition VM to a password with industry standard complexity.


Palo Alto Networks thanks Frank "5y5tem5" Mileto for discovering and reporting this issue.


Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.