Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Palo Alto Networks Expedition Vulnerability Exploited in Attacks, CISA Warns

CISA has added a Palo Alto Networks Expedition flaw tracked as CVE-2024-5910 to its Known Exploited Vulnerabilities Catalog.

Palo Alto Networks

A Palo Alto Networks Expedition vulnerability patched a few months ago is being exploited in attacks, according to the cybersecurity agency CISA.

The vulnerability is tracked as CVE-2024-5910 and it was patched by Palo Alto Networks in July. The security hole has been described as a critical missing authentication issue that can allow an attacker with network access to Expedition to take over an admin account.

Expedition is a tool designed to make it easier for users to migrate a configuration from a third-party vendor such as Check Point or Cisco to a Palo Alto Networks product. 

According to Palo Alto’s advisory for CVE-2024-5910, “Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue.” 

The cybersecurity giant updated its advisory on Thursday to note that it has learned from CISA about the active exploitation of the vulnerability. This indicates that CISA learned from a third-party about in-the-wild exploitation, or the agency discovered exploitation itself during one of its investigations. 

No information appears to be available about the attacks exploiting CVE-2024-5910. However, there are less than two dozen internet-exposed instances of Expedition and given the nature of the tool, CVE-2024-5910 has likely been leveraged in limited, targeted attacks. 

Technical details on the flaw were made public by cybersecurity firm Horizon3.ai on October 9. At the same time, Horizon3.ai released information on three other critical and high-severity Expedition vulnerabilities that can be exploited to obtain credentials and other sensitive information. There is no evidence of in-the-wild exploitation for these other flaws.

CISA has added CVE-2024-5910 to its Known Exploited Vulnerabilities (KEV) catalog, instructing federal agencies to address it by the end of the month. This is the second Palo Alto Networks product vulnerability added to the KEV list this year. 

Advertisement. Scroll to continue reading.

Palo Alto Networks announced recently that the core functionalities of the Expedition tool are being transferred into new products and Expedition will no longer be supported starting in January 2025. 

CISA on Thursday also added recently patched Android and CyberPanel vulnerabilities to its KEV catalog, alongside a 2019 Nostromo vulnerability that can allow remote code execution.  

Related: Thousands of Palo Alto Firewalls Potentially Impacted by Exploited Vulnerability 

Related: Palo Alto Patches Critical Firewall Takeover Vulnerabilities

Related: Siemens Industrial Product Impacted by Exploited Palo Alto Firewall Vulnerability

Related: Palo Alto Networks Patches Unauthenticated Command Execution Flaw in Cortex XSOAR

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Cloud and container security firm Sysdig has tapped William Welch as CEO on its path to an IPO.

Dave Scher has been promoted to Deputy Chief Information Officer at MITRE.

Anti-ransomware platform Arms Cyber has named Bob Kruse as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.