Critical Flaws in Palo Alto’s Expedition Tool Exploited by Attackers

November 8, 2024

In a concerning development for cybersecurity, a significant vulnerability in Palo Alto Networks’ Expedition tool has come under active exploitation by attackers, emphasizing the critical need for immediate action. This top-priority security flaw, identified as CVE-2024-5910, involves missing authentication measures that permit attackers to reset admin credentials on internet-exposed Expedition servers. Such an exploit holds the potential to unlock access to a plethora of sensitive information, including configuration secrets, credentials, and other vital data. With the warning issued by the Cybersecurity and Infrastructure Security Agency (CISA), the gravity of the threat becomes even more apparent as it outlines the risks of attackers potentially taking control of admin accounts and leveraging additional vulnerabilities, such as CVE-2024-9464, to execute arbitrary commands without authentication on susceptible Expedition servers.

The danger is further underscored by Horizon3.ai researcher Zach Hanley, whose proof-of-concept exploit demonstrates how these vulnerabilities can be chained together for a more catastrophic impact. His research reveals that attackers could control firewall admin accounts and, consequently, hijack PAN-OS firewalls. This security scenario paints a dire picture for industries relying on Palo Alto’s solutions for their critical operations. In response to these alarming discoveries, it is recommended that administrators restrict Expedition network access to only authorized users, particularly if security patches cannot be promptly installed. Complementing this measure, rotating usernames, passwords, and API keys following updates is advised to bolster security and mitigate potential threats.

Urgency and Recommendations

There has been a worrying development in cybersecurity involving a significant flaw in Palo Alto Networks’ Expedition tool, which attackers are actively exploiting. This critical security issue, identified as CVE-2024-5910, stems from missing authentication measures that allow attackers to reset admin credentials on internet-exposed Expedition servers. If exploited, it could grant unauthorized access to sensitive information, such as configuration secrets and credentials. The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning highlighting the risk of attackers taking control of admin accounts and using additional vulnerabilities, like CVE-2024-9464, to execute commands without authentication on vulnerable servers.

Horizon3.ai researcher Zach Hanley has demonstrated a proof-of-concept exploit showing how these vulnerabilities can be combined for greater harm. His research suggests that attackers could gain control of firewall admin accounts and commandeer PAN-OS firewalls, posing a serious threat to industries relying on Palo Alto’s solutions. In light of these severe risks, administrators are advised to restrict network access to authorized users only, especially if security patches cannot be quickly applied. Furthermore, rotating usernames, passwords, and API keys following updates is recommended to enhance security and mitigate potential threats.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later