A critical security vulnerability in Palo Alto Networks’ Expedition tool is being actively exploited by hackers. CISA urges patch – Learn how to protect your network and sensitive data by patching your Expedition software immediately.
If you have recently migrated your network configuration to Palo Alto Networks using their Expedition tool, you need to act quickly as a critical security flaw (CVE-2024-5910) in the tool is actively being exploited by threat actors. This means hackers can takeover administrator account, access sensitive configuration data, and even gain control over your firewalls if you haven’t patched your Expedition software.
For your information, Expedition is a handy tool that helps users seamlessly switch their network configuration from other vendors like Cisco or Checkpoint to their own products. It automates many steps, making the transition smoother for businesses. The tool will be will discontinued from January 2025.
Palo Alto Networks has reportedly been notified by the Cybersecurity and Infrastructure Security Agency (CISA) about the exploitation of a security flaw within its Expedition tool versions prior to 1.2.92. Palo Alto already released a patch for this vulnerability in July, but attackers are already exploiting it.
“Palo Alto Expedition contains a missing authentication vulnerability that allows an attacker with network access to takeover an Expedition admin account and potentially access configuration secrets, credentials, and other data,” CISA explained in its advisory.
The advisory warns that configuration secrets, credentials, and other data moved into Expedition are at risk due to the critical flaw as the tool can trigger an administrative account takeover for threat actors. This vulnerability is rated as “critical” with a CVSS score of 9.3 (out of 10) entails a missing authentication for Critical Function (CWE-306). This means it’s very easy for attackers to exploit and can have severe consequences.
Exploitation attempts likely rose in October when a security researcher Zach Hanley released a proof-of-concept (PoC) exploit. It demonstrates how to combine CVE-2024-5910 and another vulnerability (CVE-2024-9464) to execute unauthenticated remote code on vulnerable Expedition servers, allowing attackers to reset admin accounts and control firewall configurations.
CISA has added this vulnerability to its “Known Exploited Vulnerabilities” catalog, urging federal agencies to address it before November 28th.
To protect yourself, update your software to the latest version (1.2.92 or later). Once updated, change usernames, passwords, and API keys for both Expedition and firewalls processed through Expedition. Additionally, sign up for security alerts from Palo Alto Networks or other reputable sources to stay updated on the latest threats and vulnerabilities.
It is worth noting that the advisory comes after Threat intelligence firm Volexity discovered a zero-day exploit in April that affected Palo Alto Networks’ firewall appliances. The vulnerability had a maximum CVSS score of 10 and probably exploited by nation-state hackers, according to researchers.
John Bambenek, President at Bambenek Consulting weighed in on the situation stating, “This vulnerability lets attackers reach out and take over these devices without authentication and they are the kind of tool you set up for a tactical reason. Once the work is done, you forget about it. If, for whatever reason, you can’t shut it down, get these devices off the open Internet.“
