Palo Alto Networks Addresses Four Critical Security Flaws in Expedition Firewall

November 18, 2024

Palo Alto Networks (PAN) warned its customers of a critical, unauthenticated remote code execution (RCE) bug actively exploited by cybercriminals in its Expedition firewall interface. This is the fourth such vulnerability identified in active attack within a week.

The Expedition firewall management is a tool used by PAN to transition its new customers from their previous systems to PAN-OS. The company issued a critical security bulletin regarding a new threat activity targeting an unauthenticated remote command injection vulnerability (CVE-2024-0012, CVSS 9.3) in Expedition.

The company did not reveal when it first became aware of the zero-day vulnerability, but it has released patches for the bug, which stems from a missing authentication check. "Palo Alto Networks has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the Internet," according to the security bulletin from Palo Alto Network.

Prior to the PAN bulletin, the Cybersecurity and Infrastructure Security Agency (CISA) added two separate, critical Expedition flaws disclosed on Nov. 8 to its Known Exploited Vulnerabilities Catalog: an OS command injection vulnerability (CVE-2024-9463) with a CVSS score of 9.9; and an SQL injection vulnerability (CVE-2024-9465) with a CVSS score of 9.2. Additionally, a week earlier, another PAN Expedition vulnerability, a missing authentication bug disclosed on July 10, made the KEV list (CVE-2024-5910).

Customers are urged to patch their systems as soon as possible and ensure their systems are not reachable from the public Internet. PAN recommends that customers "immediately ensure that access to the management interface is possible only from a trusted internal IPs and not from the Internet."

The ShadowServer Foundation's IoT device tracking statistics indicate that on Nov. 14, over 8,700 instances of PAN-OS Management systems were connected to the Internet and vulnerable to these exploits. This number is down from around 11,000 observed prior to PAN's Nov. 8 bulletin.

PAN has been in contact with customers identified as at heightened risk, stating, "The security of our customers is our highest priority... We recently became aware of malicious activity targeting a small number of firewalls that we believe had a management interface exposed to the Internet. This vulnerability could potentially result in unauthorized access to these specific firewalls. We are actively monitoring the situation and are committed to providing our customers with the support they need to stay secure."

The company added that Prisma Access and Cloud NGFW are not believed to be impacted. Experts caution cybersecurity teams not to underestimate the risk of leaving these vulnerabilities exposed. Ray Kelly, a cybersecurity expert with Black Duck, noted, “OS commanding and SQL injection are among the most critical vulnerabilities in software... When both vectors exist in a single product, it essentially exposes the application completely. These vulnerabilities have been known for decades and can be easily detected using most modern Web application scanning tools.”

Last summer, PAN announced that Expedition is being phased out and will no longer be supported as of January 2025.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.