CISA Flags Critical Exploits in Palo Alto Networks’ Expedition with Public PoC Code

ServiceNow Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about two critical vulnerabilities in Palo Alto Networks Expedition that malicious actors are actively exploiting. These flaws, identified as CVE-2024-9463 and CVE-2024-9465, pose a significant risk to organizations using the Expedition platform, potentially leading to complete system compromise.

CVE-2024-9463: OS Command Injection Vulnerability (CVSS 9.9)

This highly critical vulnerability allows unauthenticated attackers to execute arbitrary commands on the underlying operating system with root privileges. Successful exploitation could grant attackers access to sensitive information such as firewall usernames, passwords, and API keys.

CVE-2024-9465: SQL Injection Vulnerability (CVSS 9.2)

This flaw enables attackers to inject malicious SQL code into Expedition’s database, allowing them to extract sensitive data. Compromised information could include password hashes, usernames, device configurations, and API keys, potentially providing attackers with the means to take complete control of the system.

Palo Alto Networks Expedition

Exposed endpoints without authentication | Image: Horizon3.ai

Adding to the concern, security researcher Zach Hanley of Horizon3.ai has publicly released a proof-of-concept exploit for CVE-2024-9465, making it easier for malicious actors to exploit this vulnerability.

Urgent Action Required

Palo Alto Networks has addressed these vulnerabilities in Expedition version 1.2.96 and urges all users to update their systems immediately. CISA has also added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, mandating that all federal agencies patch their systems by December 5, 2024.

In addition to updating to the latest version, Palo Alto Networks recommends rotating all usernames, passwords, and API keys that have been processed by Expedition. Organizations should also restrict network access to Expedition, limiting it to authorized users only.

Related Posts: