CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

CISA Warns of Two More Palo Alto Expedition Flaws Exploited in Attacks

CISA has added two more Palo Alto Networks Expedition flaws, CVE-2024-9463 and CVE-2024-9465, to its KEV catalog.

Palo Alto Networks

The cybersecurity agency CISA on Thursday warned about two additional Palo Alto Networks Expedition vulnerabilities exploited in attacks. 

On November 7, CISA informed organizations that it had become aware that CVE-2024-5910, a Palo Alto Networks Expedition vulnerability patched in July, has been exploited in attacks.

CVE-2024-5910 is a critical missing authentication issue that allows an attacker with network access to Expedition to take over administrator accounts. The flaw puts credentials and configuration secrets at risk.

Expedition is a tool designed to make it easier for users to migrate a configuration from a third-party vendor such as Check Point or Cisco to a Palo Alto Networks product.  

On November 14, CISA warned about the exploitation of two additional Expedition vulnerabilities. The flaws, tracked as CVE-2024-9463 and CVE-2024-9465, are critical flaws that were patched by the vendor in early October.

Palo Alto Networks updated its initial advisory on Thursday to say that it learned about the active exploitation of CVE-2024-9463 and CVE-2024-9465 from CISA. 

CVE-2024-9463 is an OS command injection vulnerability that allows an unauthenticated attacker to run arbitrary OS commands as root, resulting in the disclosure of cleartext credentials, device configurations, and API keys. 

CVE-2024-9465 is an SQL injection flaw that can be exploited by an unauthenticated attacker to obtain sensitive information from the Expedition database, and to create and read arbitrary files on the system. 

Advertisement. Scroll to continue reading.

News of the two additional Expedition vulnerabilities being exploited in the wild comes just as Palo Alto Networks has confirmed that a new remote code execution vulnerability impacting its firewalls has been exploited in attacks as a zero-day. The new zero-day does not have a CVE identifier at the time of writing. 

The attacks do not appear to be related as Palo Alto said it learned about the exploitation of all of the Expedition vulnerabilities from CISA.

There does not seem to be any public information on the attacks exploiting the three Expedition vulnerabilities. It’s unclear if the three flaws have been exploited by the same threat actor or in unrelated attacks. 

The technical details of CVE-2024-5910 and CVE-2024-9465 were disclosed on October 9 by cybersecurity firm Horizon3.ai.

All of the Palo Alto Networks Expedition flaws have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, with the agency instructing government organizations to take action to prevent potential exploitation. 

Related: Palo Alto Networks Confirms New Firewall Zero-Day Exploitation

Related: Palo Alto Networks Adds New Capabilities to OT Security Solution

Related: Palo Alto Patches Critical Firewall Takeover Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.