CISA Issues Warning Over Exploitation of Critical Palo Alto Networks Vulnerability

November 7, 2024

The Cybersecurity and Infrastructure Security Agency (CISA) has alerted the public about attackers exploiting a critical missing authentication vulnerability in Palo Alto Networks Expedition. This tool aids in the conversion of firewall configuration from vendors like Checkpoint and Cisco to PAN-OS. The security flaw, identified as CVE-2024-5910, was patched in July. However, threat actors can remotely exploit it to reset application admin credentials on Internet-exposed Expedition servers. CISA stated, "Palo Alto Expedition contains a missing authentication vulnerability that allows an attacker with network access to takeover an Expedition admin account and potentially access configuration secrets, credentials, and other data."

The details of these attacks are yet to be fully disclosed by the cybersecurity agency. However, Horizon3.ai vulnerability researcher Zach Hanley released a proof-of-concept exploit in October. This exploit can help chain this admin reset flaw with a CVE-2024-9464 command injection vulnerability (patched last month) to gain "unauthenticated" arbitrary command execution on vulnerable Expedition servers. By chaining CVE-2024-9464 with other security flaws (also addressed by Palo Alto Networks in October), threat actors can take over firewall admin accounts and hijack PAN-OS firewalls.

Administrators who are unable to immediately install security updates to fend off incoming attacks are advised to limit Expedition network access to authorized users, hosts, or networks. Palo Alto Networks advised, "All Expedition usernames, passwords, and API keys should be rotated after upgrading to the fixed version of Expedition. All firewall usernames, passwords, and API keys processed by Expedition should be rotated after updating." The company has yet to update its security advisory to warn customers of ongoing CVE-2024-5910 attacks.

CISA also added the vulnerability to its Known Exploited Vulnerabilities Catalog on Thursday. As a result of the binding operational directive (BOD 22-01) issued in November 2021, U.S. federal agencies must now secure vulnerable Palo Alto Networks Expedition servers on their networks against attacks within three weeks, by November 28. CISA warned, "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise."

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.