Critical Palo Alto Networks Expedition bug exploited (CVE-2024-5910)

A vulnerability (CVE-2024-5910) in Palo Alto Networks Expedition, a firewall configuration migration tool, is being exploited by attackers in the wild, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed on Thursday.

About CVE-2024-5910

Unearthed and reported by Brian Hysell of Synopsys Cybersecurity Research Center (CyRC), CVE-2024-5910 stems from missing authentication for a critical function, which can lead to an Expedition admin account takeover for attackers with network access to the installation.

A security update fixing the vulnerability has been provided by Palo Alto Networks in July 2024. The company also advised those who couldn’t upgrade to make sure network access to their Expedition installation is restricted to authorized users, hosts, or networks.

The public disclosure of CVE-2024-5910 has spurred Horizon3.ai researchers to disclose (three months later) that the vulnerability could be exploited by sending a simple request to an exposed endpoint to reset the admin password:

Reseting the admin password (Source: Horizon3.ai)

They also decided to probe the tool for further weaknesses, and they found three:

CVE-2024-9464: An authenticated command injection
CVE-2024-9465: An unauthenticated SQL injection
CVE-2024-9466: Cleartext credentials in logs

Fixes for those vulnerabilities have been released in October 2024. But proof-of-concept exploit code for chaining the flaw with CVE-2024-9464 to achieve “unauthenticated” arbitrary command execution on vulnerable Expedition servers is publicly accessible.

What to do?

Whether CVE-2024-5910 is being exploited by itself or in conjunction with another vulnerability is unknown, because CISA didn’t share that information.

Palo Alto Networks has updated the advisory to say that they are “aware of reports from CISA that there is evidence of active exploitation for this CVE.”

If they haven’t already, users should upgrade their Expedition installation to a fixed version and make sure it is not exposed to the internet (as there is no reason for it).

Next, they should rotate all Expedition usernames, passwords, and API keys, as well as all firewall usernames, passwords, and API keys processed by Expedition.

Horizon3.ai’s Zach Hanley has previously explained how to check for indicators of compromise.

Zeljka Zorz

Leave a Comment Cancel Reply

London, GB

9:40 pm, Feb 2, 2025

2°C

L: 0° | H: 3°

Feels like 2°C° scattered clouds

Humidity: 90 %

Pressure: 1025 mb

Wind: 2 mph WSW

Wind Gust: 5 mph

UV Index: 0

Precipitation: 0 mm

Clouds: 44%

Rain Chance: 0%

Visibility: 10 km

Sunrise: 7:37 am

Sunset: 4:51 pm

DailyHourly

Daily ForecastHourly Forecast

Tomorrow 9:00 pm

0° | 3°°C 0 mm 0% 8 mph 96 % 1025 mb 0 mm/h

Tue Feb 04 9:00 pm

6° | 10°°C 0.61 mm 61% 15 mph 94 % 1026 mb 0 mm/h

Wed Feb 05 9:00 pm

4° | 7°°C 0 mm 0% 11 mph 87 % 1045 mb 0 mm/h

Thu Feb 06 9:00 pm

2° | 8°°C 0 mm 0% 10 mph 83 % 1046 mb 0 mm/h

Fri Feb 07 9:00 pm

2° | 7°°C 0 mm 0% 6 mph 91 % 1040 mb 0 mm/h

Tomorrow 12:00 am

3° | 3°°C 0 mm 0% 4 mph 87 % 1025 mb 0 mm/h

Tomorrow 3:00 am

2° | 2°°C 0 mm 0% 4 mph 87 % 1025 mb 0 mm/h

Tomorrow 6:00 am

2° | 2°°C 0 mm 0% 4 mph 92 % 1025 mb 0 mm/h

Tomorrow 9:00 am

4° | 4°°C 0 mm 0% 4 mph 90 % 1025 mb 0 mm/h

Tomorrow 12:00 pm

6° | 6°°C 0 mm 0% 8 mph 91 % 1024 mb 0 mm/h

Tomorrow 3:00 pm

8° | 8°°C 0 mm 0% 7 mph 92 % 1024 mb 0 mm/h

Tomorrow 6:00 pm

6° | 6°°C 0 mm 0% 5 mph 94 % 1024 mb 0 mm/h

Tomorrow 9:00 pm

5° | 5°°C 0 mm 0% 6 mph 96 % 1024 mb 0 mm/h

Name	Price	24H (%)
Bitcoin(BTC)	€93,474.80	-4.50%
Ethereum(ETH)	€2,819.55	-7.90%
XRP(XRP)	€2.50	-11.81%
Tether(USDT)	€0.96	0.00%
Solana(SOL)	€194.67	-7.72%
USDC(USDC)	€0.96	-0.01%
Dogecoin(DOGE)	€0.260549	-14.20%
Shiba Inu(SHIB)	€0.000015	-13.78%
Pepe(PEPE)	€0.000011	-14.93%

Critical Palo Alto Networks Expedition bug exploited (CVE-2024-5910)

Share:

About CVE-2024-5910

What to do?

Leave a Comment Cancel Reply

Utility link

Useful link

Newsletter

Follow Us